You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now, all of our Prow jobs are running in a pod that is running as UID 0 as a privileged process (for accessing the host's devices, such as /sys/fs/cgroup) with the capability SYS_ADMIN (for using clone(2) and unshare(2) I assume).
We could improve on this and remove the UID 0 requirement by running the pods as a non-privileged users. For that, we can rely on the "cri in userns" feature of containerd or docker.
docker: I was not able to find an example of docker-in-docker in userns mode
🚧 Note that this issue does not relate to the fact that dockershim will be removed in Kubernetes 1.24. This change does not affect us since we are not accessing the docker socket present on the host (instead, we run our own docker daemon in each of the job pods).
The text was updated successfully, but these errors were encountered:
Right now, all of our Prow jobs are running in a pod that is running as UID 0 as a privileged process (for accessing the host's devices, such as
/sys/fs/cgroup) with the capabilitySYS_ADMIN(for usingclone(2)andunshare(2)I assume).We could improve on this and remove the UID 0 requirement by running the pods as a non-privileged users. For that, we can rely on the "cri in userns" feature of containerd or docker.
🚧 Note that this issue does not relate to the fact that dockershim will be removed in Kubernetes 1.24. This change does not affect us since we are not accessing the docker socket present on the host (instead, we run our own docker daemon in each of the job pods).
The text was updated successfully, but these errors were encountered: