Comments (1)
This happens because the SELinux label is removed by containerd's CRI implementation if the container is privileged. This is similar to how seccomp filters are treated.
Normally this is fine since privileged: true
implies "all the privileges" on most distros, just not on Bottlerocket.
The workaround is to avoid specifying privileged: true
in the security context, and to instead list out everything that is implied by that:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- AUDIT_CONTROL
- BLOCK_SUSPEND
- DAC_READ_SEARCH
- IPC_LOCK
- IPC_OWNER
- LEASE
- LINUX_IMMUTABLE
- MAC_ADMIN
- MAC_OVERRIDE
- NET_ADMIN
- NET_BROADCAST
- SYSLOG
- SYS_ADMIN
- SYS_BOOT
- SYS_MODULE
- SYS_NICE
- SYS_PACCT
- SYS_PTRACE
- SYS_RAWIO
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- WAKE_ALARM
seccompProfile:
type: Unconfined
seLinuxOptions:
type: super_t
This works unless the privileged container needs access to host devices. Right now, the device cgroup is set to all devices allowed for privileged containers, and there's no way to specify the equivalent in the pod spec without privileged: true
.
from bottlerocket.
Related Issues (20)
- don't use bootconfig for systemd's unified cgroup hierarchy HOT 1
- v1.19.5 💘 Tracking Issue HOT 1
- pytorch could not detect Nvidia driver on bottlerocket HOT 6
- occasional build failures after extracting subpackages HOT 1
- Looking for aws-dev variant AMI ID HOT 1
- Fail to detect GPU on Bottlerocket v1.19 within AWS g4dn instance HOT 8
- v1.20.0 🐫 Tracking Issue HOT 1
- v1.20.0 update eni-max-pods mapping file HOT 1
- ootb: apiclient needs to be model agnostic HOT 1
- v1.20.0 Host container updates
- Is there any documentation for making bottlerocket work without the internet access to the instances security group ? HOT 1
- kernel-parameters does not accept single-word config options, specifying them causes reboot-loops HOT 3
- BottleRocket NVIDIA EKS Node group wont join EKS Cluster HOT 2
- nvidia-container-cli timeout error when running ECS tasks HOT 1
- Changes to kernel module compression can break certain workflows HOT 15
- Cilium-agent does not start after upgrading to bottlerocket OS 1.20.0 HOT 1
- Host Container Unable to Create Container Task HOT 6
- Collecting logs from EKS Worker Nodes running Bottlerocket AMI when no SSH is enabled HOT 1
- Create symlinks to devices using the device name configured for EBS volumes
- v1.20.1 🐫 Tracking Issue HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bottlerocket.