github/containerized-data-importer
7
0
Fork 0
mirror of https://github.com/kubevirt/containerized-data-importer.git synced 2025-06-03 06:30:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
a5cedb1555
containerized-data-importer/doc/block_cri_ownership_config.md
akalenyu f5d0b70b09
Document CRI configurable that smoothens non-root containers usage of block devices (#2458) 
Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>

Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
2022-11-04 00:47:23 +00:00

1.1 KiB
Raw Blame History

device_ownership_from_security_context CRI configurable

Introduction

Unlike volumes with fsGroup, devices have no official notion of deviceGroup/deviceUser that the CRI runtimes (or kubelet) would be able to use.
This makes it problematic for our workloads to populate block devices, and has manifested itself in the form of this community issue.

Solution

As explained in the source below, a solution that is seamless to end-users was chosen by the k8s community, without getting the device plugin vendors involved.
The selected approach was to re-use runAsUser and runAsGroup for devices, with an opt-in config entry for the CRI (device_ownership_from_security_context) that ensures no existing deployment breaks.
To use CDI, it is advised to opt-in.
For containerd:

[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    device_ownership_from_security_context = true

CRI-O:

[crio.runtime]
device_ownership_from_security_context = true

Source

https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/