On 8/13/24 05:35, Larry Cai wrote:
Hi:

I am used to follow podman setup inside k8s according to article https://www.redhat.com/sysadmin/podman-inside-kubernetes 

Now 3 years have passed, do we have an updated article for this?

I have a vanilla k8s env, and `privileged: true` will not be allowed soon, so what is the easiest way to setup rootless-non-priv environment?

apiVersion: v1
kind: Pod
metadata:
name: podman
spec:
containers:
- name: podman
image: registry.access.redhat.com/ubi9/podman
command: ["sleep", "infinity"]
securityContext:
runAsUser: 1000
privileged: true
Surely `hostPath` is not allowed as well?

In the unix env, i can run `podman run -it -u podman:podman` to get correct env

Any suggestions? (i am not security expert to understand), if I remove `privileged: true` i got below

[podman@podman ~]$ podman system info
Error: mount /home/podman/.local/share/containers/storage/overlay:/home/podman/.local/share/containers/storage/overlay, flags: 0x1000: permission denied


BTW: i only need the build env, maybe `buildah` image shall be used instead (but users are used to use podman command)

Rgs, Larry

_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io

Take at  look at teh user namespace support for k8s.  If you are allowed to run a pod/container inside of a user namespace with enough UIDs and CAP_SYS_ADMIN of the User namespace, then podman should just work.