4:35 a.m.
Hi:
I am used to follow podman setup inside k8s according to article
https://www.redhat.com/sysadmin/podman-inside-kubernetes
Now 3 years have passed, do we have an updated article for this?
I have a vanilla k8s env, and `privileged: true` will not be allowed soon,
so what is the easiest way to setup rootless-non-priv environment?
apiVersion: v1
kind: Pod
metadata:
name: podman
spec:
containers:
- name: podman
image: registry.access.redhat.com/ubi9/podman
command: ["sleep", "infinity"]
securityContext:
runAsUser: 1000
privileged: true
Surely `hostPath` is not allowed as well?
In the unix env, i can run `podman run -it -u podman:podman` to get correct
env
Any suggestions? (i am not security expert to understand), if I remove `
privileged: true` i got below
[podman@podman ~]$ podman system info
Error: mount
/home/podman/.local/share/containers/storage/overlay:/home/podman/.local/share/containers/storage/overlay,
flags: 0x1000: permission denied
BTW: i only need the build env, maybe `buildah` image shall be used instead
(but users are used to use podman command)
Rgs, Larry
5:51 a.m.
On 8/13/24 05:35, Larry Cai wrote:
Hi:
I am used to follow podman setup inside k8s according to article
https://www.redhat.com/sysadmin/podman-inside-kubernetes
Now 3 years have passed, do we have an updated article for this?
I have a vanilla k8s env, and `privileged:true` will not be allowed
soon, so what is the easiest way to setup rootless-non-priv environment?
apiVersion: v1
kind: Pod
metadata:
name: podman
spec:
containers:
- name: podman
image: registry.access.redhat.com/ubi9/podman
<http://registry.access.redhat.com/ubi9/podman>
command: ["sleep", "infinity"]
securityContext:
runAsUser: 1000
privileged: true
Surely `hostPath` is not allowed as well?
In the unix env, i can run `podman run -it -u podman:podman` to get
correct env
Any suggestions? (i am not security expert to understand), if I remove
`privileged:true` i got below
[podman@podman ~]$ podman system info
Error: mount
/home/podman/.local/share/containers/storage/overlay:/home/podman/.local/share/containers/storage/overlay,
flags: 0x1000: permission denied
BTW: i only need the build env, maybe `buildah` image shall be used
instead (but users are used to use podman command)
Rgs, Larry
_______________________________________________
Podman mailing list --podman(a)lists.podman.io
To unsubscribe send an email topodman-leave(a)lists.podman.io
Take at look at teh user namespace support for k8s. If you are allowed
to run a pod/container inside of a user namespace with enough UIDs and
CAP_SYS_ADMIN of the User namespace, then podman should just work.
10:17 a.m.
Hi Daniel:
thx for quick response, it is related my system for apparmor confg, I guess
Googled.
if I updated as suggested in
https://github.com/containers/podman/issues/15009 (i dropped all
capabilities)
metadata:
name: podman
annotations:
container.apparmor.security.beta.kubernetes.io/podman: unconfined
it at least passes the `podman` basic command , and it raises other issues
during build
STEP 3/5: RUN yum repolist
WARN[0005] Path "/run/secrets/etc-pki-entitlement" from
"/etc/containers/mounts.conf" doesn't exist, skipping
WARN[0005] Path "/run/secrets/rhsm" from
"/etc/containers/mounts.conf"
doesn't exist, skipping
will check more, thx
Rgs, Larry
On Tue, Aug 13, 2024 at 12:52 PM Daniel Walsh <dwalsh(a)redhat.com> wrote:
On 8/13/24 05:35, Larry Cai wrote:
Hi:
I am used to follow podman setup inside k8s according to article
https://www.redhat.com/sysadmin/podman-inside-kubernetes
Now 3 years have passed, do we have an updated article for this?
I have a vanilla k8s env, and `privileged: true` will not be allowed
soon, so what is the easiest way to setup rootless-non-priv environment?
apiVersion: v1
kind: Pod
metadata:
name: podman
spec:
containers:
- name: podman
image: registry.access.redhat.com/ubi9/podman
command: ["sleep", "infinity"]
securityContext:
runAsUser: 1000
privileged: true
Surely `hostPath` is not allowed as well?
In the unix env, i can run `podman run -it -u podman:podman` to get
correct env
Any suggestions? (i am not security expert to understand), if I remove `
privileged: true` i got below
[podman@podman ~]$ podman system info
Error: mount
/home/podman/.local/share/containers/storage/overlay:/home/podman/.local/share/containers/storage/overlay,
flags: 0x1000: permission denied
BTW: i only need the build env, maybe `buildah` image shall be used
instead (but users are used to use podman command)
Rgs, Larry
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
Take at look at teh user namespace support for k8s. If you are allowed
to run a pod/container inside of a user namespace with enough UIDs and
CAP_SYS_ADMIN of the User namespace, then podman should just work.
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
91
days inactive
91
days old
2 comments
2 participants
participants (2)
-
Daniel Walsh -
Larry Cai