github/containerized-data-importer
7
0
Fork 0
mirror of https://github.com/kubevirt/containerized-data-importer.git synced 2025-06-03 06:30:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
main
containerized-data-importer/doc/block_cri_ownership_config.md
Andrei Kvapil 7b330eb755
Describe device_ownership_from_security_context=true for Containerd v2 (#3452) 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2024-10-07 19:21:39 +02:00

1.3 KiB
Raw Permalink Blame History

device_ownership_from_security_context CRI configurable

Introduction

Unlike volumes with fsGroup, devices have no official notion of deviceGroup/deviceUser that the CRI runtimes (or kubelet) would be able to use.
This makes it problematic for our workloads to populate block devices, and has manifested itself in the form of this community issue.

Solution

As explained in the source below, a solution that is seamless to end-users was chosen by the k8s community, without getting the device plugin vendors involved.
The selected approach was to re-use runAsUser and runAsGroup for devices, with an opt-in config entry for the CRI (device_ownership_from_security_context) that ensures no existing deployment breaks.
To use CDI, it is advised to opt-in.
For Containerd v1:

[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    device_ownership_from_security_context = true

For Containerd v2:

[plugins]
  [plugins."io.containerd.cri.v1.runtime"]
    device_ownership_from_security_context = true

CRI-O:

[crio.runtime]
device_ownership_from_security_context = true

Source

https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/