DEVHIDE
Login Or Sign up

How to replace `securityContext: privileged: true` in Kubernetes for DinD (docker in docker)

1.1k Views Asked by At

If we want to to build OCI container images with docker and e.g. want to the following pod setup:

apiVersion: v1
kind: Pod
metadata:
  name: dind
spec:
  containers:
    - name: build
      image: docker:23.0.1-cli
      command:
        - cat
      tty: true
      resources:
        requests:
          cpu: 10m
          memory: 256Mi
      env:
        - name: DOCKER_HOST
          value: tcp://localhost:2375

    - name: dind-daemon
      image: docker:23.0.1-dind-rootless
      securityContext:
        privileged: true
      resources:
        requests:
          cpu: 20m
          memory: 512Mi
      volumeMounts:
        - name: docker-graph-storage
          mountPath: /var/lib/docker
  volumes:
    - name: docker-graph-storage
      emptyDir: {}

I am wondering what the replacement is for

securityContext:
        privileged: true

since that is deprecated in kubernetes >1.25 because: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/

and if its still possible to do the same as above and how?

docker kubernetes containers docker-in-docker rootless
Original Q&A
1

There are 1 best solutions below

0
Kranthiveer Dontineni On BEST ANSWER

As per kubernetes official API reference documentation for V 1.26 they have changed the fields for security context.

Instead of using privileged: true they got other parameters in the latest versions. That are

runAsUser: You can run as any user in the latest versions by using the UID of the user if your image has that user. In general the UID for root users is 0, so you can mention the UID of root user in the yaml file while creating the deployment.

allowPrivilegeEscalation: If allowPrivilegeEscalation is set to true privileges will be escalated to the root user when required.

runAsNonRoot: If runAsNonRoot is set to true a validation will be performed and kubernetes will stop the pod or container from starting else if it’s unset or set to false it won’t prevent root execution, provided your image is built to run as root.

Both runAsUser and runAsNonRoot can be used if you want to execute the job or task continuously as root whereas allowPrivilegeEscalation can be used for temporarily escalating privileges. Below is the yaml example file for the latest version, use it as a reference

apiVersion: v1
kind: Pod
metadata:
 name: security-context-demo

spec:
 securityContext:
   runAsUser: 1000
   runAsGroup: 3000
   fsGroup: 2000

 volumes:
 - name: sec-ctx-vol
   emptyDir: {}

 containers:
 - name: sec-ctx-demo
   image: busybox:1.28
   command: [ "sh", "-c", "sleep 1h" ]

   volumeMounts:
   - name: sec-ctx-vol
     mountPath: /data/demo

   securityContext:
     allowPrivilegeEscalation: false

Note: The yaml code and the above explanation is derived from official kubernetes documentation.

[1]https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ [2]https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core

Related Questions in DOCKER

Related Questions in KUBERNETES

Related Questions in CONTAINERS

Related Questions in DOCKER-IN-DOCKER

Related Questions in ROOTLESS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.