Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-8320

Enable Support for Nested Containers

XMLWordPrintable

    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • Release Notes
    • Hide
      = Nested containers now supported in workspaces

      Dev Spaces now supports running nested containers, which allows you to use commands like `podman run` directly in a workspace without `kubedock`.

      To enable this feature, set `spec.devEnvironments.disableContainerRunCapabilities: true` in the `CheCluster` custom resource.

      [IMPORTANT]
      ====
      Due to new SecurityContextConstraints (SCC) restrictions, if you set `spec.devEnvironments.disableContainerRunCapabilities` to `true`, existing workspaces will fail to start.
      ====

      [NOTE]
      ====
      This feature has two requirements:

      * OpenShift Container Platform 4.20 or newer.

      * Workspaces must be based on the `quay.io/devfile/base-developer-image:ubi9-latest or quay.io/devfile/base-developer-image:ubi10-latest` image, or a newer tag.
      ====
      Show
      = Nested containers now supported in workspaces Dev Spaces now supports running nested containers, which allows you to use commands like `podman run` directly in a workspace without `kubedock`. To enable this feature, set `spec.devEnvironments.disableContainerRunCapabilities: true` in the `CheCluster` custom resource. [IMPORTANT] ==== Due to new SecurityContextConstraints (SCC) restrictions, if you set `spec.devEnvironments.disableContainerRunCapabilities` to `true`, existing workspaces will fail to start. ==== [NOTE] ==== This feature has two requirements: * OpenShift Container Platform 4.20 or newer. * Workspaces must be based on the `quay.io/devfile/base-developer-image:ubi9-latest or quay.io/devfile/base-developer-image:ubi10-latest` image, or a newer tag. ====
    • Enhancement
    • Proposed

      OCP 4.19 adds the ability to run secure, nested containers in a Pod.

      Reference - https://github.com/cgruver/ocp-4-18-nested-container-tech-preview

      The relevant feature gates are -

      • UserNamespacesSupport
      • UserNamespacesPodSecurityStandards
      • ProcMountType

       

      By enabling the new capabilities in OpenShift Dev Spaces we will provide users with a full podman and podman-compose capability inside of a workspace.

       

      Changes needed to Dev Spaces -

      1. Ability to detect OCP version 4.19+
      2. Feature toggle to enable nested containers for workspaces on OCP 4.19+
      3. SCC that implements the constraints necessary for user namespaces
      4. Changes to UDI images to use a different pattern for subuid and subgid
      5. Changes to DevWorkspace Operator to create workspace Deployments with the correct securityContext settings

      Considerations for design -

      • Processes in containers can now run with predictable uid/gid
      • Need to block enabling on OCP < 4.19
      • It is now possible to run containers as root without security implications

       

      Example SCC -

      apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: nested-podman-scc
priority: null
allowPrivilegeEscalation: true
allowedCapabilities:
- SETUID
- SETGID
fsGroup:
  type: MustRunAs
  ranges:
  - min: 1000
    max: 65534
runAsUser:
  type: MustRunAs
  uid: 1000
seLinuxContext:
  type: MustRunAs
  seLinuxOptions:
    type: container_engine_t
supplementalGroups:
  type: MustRunAs
  ranges:
  - min: 1000
    max: 65534
userNamespaceLevel: RequirePodLevel

      Significant changes -

      • `userNamespaceLevel: RequirePodLevel ` - Forces the Pod to use usernamespaces for uid/gid instead of host uid/gid
      • `runAsUser:, fsGroup:, supplementalGroups:` - Allows the workspace containers to run as known uid/gid
      • `seLinuxOptions:` - uses the `container_engine_t` selinux type which is compatible with usernamespaces.

       

      Example Pod - 

      apiVersion: v1
kind: Pod
metadata:
  name: nested-podman
  namespace: podman-demo
  annotations:
    io.kubernetes.cri-o.Devices: "/dev/fuse,/dev/net/tun"
    openshift.io/scc: nested-podman-scc
spec:
  hostUsers: false
  containers:
  - name: nested-podman
    image: quay.io/cgruver0/che/workspace-base:latest
    securityContext:
      allowPrivilegeEscalation: true
      procMount: Unmasked
      capabilities:
        add:
        - "SETUID"
        - "SETGID"

       

       

              abazko Anatolii Bazko
              cgruver@redhat.com Charro Gruver
              Gaurav Trivedi Gaurav Trivedi
              Votes:
              3 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: