Open
Description
Right now, all of our Prow jobs are running in a pod that is running as UID 0 as a privileged process (for accessing the host's devices, such as /sys/fs/cgroup) with the capability SYS_ADMIN (for using clone(2) and unshare(2) I assume).
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]We could improve on this and remove the UID 0 requirement by running the pods as a non-privileged users. For that, we can rely on the "cri in userns" feature of containerd or docker.
- containerd: https://github.com/containerd/containerd/blob/v1.6.1/contrib/Dockerfile.test.d/cri-in-userns/docker-entrypoint.sh
- docker: I was not able to find an example of docker-in-docker in userns mode
🚧 Note that this issue does not relate to the fact that dockershim will be removed in Kubernetes 1.24. This change does not affect us since we are not accessing the docker socket present on the host (instead, we run our own docker daemon in each of the job pods).
Metadata
Metadata
Assignees
Labels
No labels