Using Mount Propagation bidirectional without Privileged Security context in kubernetes

1k views Asked by At

I'm implementing support to a CSIDriver that uses Bidirectional Mount Propagation. This requires that the container be Privileged, but in this project, we are not allowed to use privileged containers.

There is any other way to do this? I've tried to use SYS_ADMIN capability, but it did not work.

    - name: spiffe-csi-driver
        image: ghcr.io/spiffe/spiffe-csi-driver:0.1.0
        imagePullPolicy: IfNotPresent
        args: [
          "-workload-api-socket-dir", "/spire-agent-socket",
          "-csi-socket-path", "/spiffe-csi/csi.sock",
        ]
        env:
          - name: MY_NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
        volumeMounts:
          - mountPath: /spire-agent-socket
            name: spire-agent-socket
            readOnly: true
          - mountPath: /spiffe-csi
            name: spiffe-csi-socket-dir
          # The volume containing mount points for containers.
          - mountPath: /var/lib/kubelet/pods
            mountPropagation: Bidirectional
            name: mountpoint-dir
        securityContext:
          privileged: true # need to remove
          # capabilities: # this didn't work 
          #   add:
          #   - SYS_ADMIN
1

There are 1 answers

0
gohm'c On BEST ANSWER

According to K8s official documentation:

it is allowed only in privileged containers.