-
Epic
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
None
-
Enable Read/Write cgroups for non-privileged containers in OpenShift
-
To Do
-
None
-
False
-
-
False
-
Not Selected
-
None
-
None
-
None
Epic Goal
- Enable Read/Write permissions on the cgroupfs mounted into non-privileged containers that have `host:Users: false`
- NICE-TO-HAVE: Chown the cgroupfs to the UID of the container
Why is this important?
- Enable a full Ansible developer experience in OpenShift Dev Spaces including support for Molecule
Scenarios
- Molecule testing of Ansible in OpenShift Dev Spaces
Acceptance Criteria
- CI - MUST be running successfully with tests automated
- Release Technical Enablement - Provide necessary release enablement details and documents.
- Containers in a Pod running under a specific SCC have access to a writable cgroupfs
- NICE_TO_HAVE: The cgroupfs is owned by the uid of the container
- An SCC enforces that cgroupfs can only be RW when the container is running in a user namespace i.e. `hostUsers: false`
Dependencies (internal and external)
Previous Work (Optional):
- https://github.com/kubernetes/enhancements/issues/5474
- https://github.com/kubernetes/kubernetes/issues/121190
- https://github.com/cri-o/cri-o/issues/9768
- https://github.com/cgruver/systemd-in-devspaces
Open questions::
- …
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
