Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Done
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: Node
Labels:
- node
- vefsi

Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
PX Impact Score:
PX Priority Data:
PX Review Complete:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

With more and more stuff being containerized, people want to inspect / run containers in a Pod, without needing a privileged Pod.

Currently this knowledge is in blog posts like https://www.redhat.com/sysadmin/podman-inside-kubernetes
However understanding the implications of the changes needed (Seccomp profile, dropping SeLinux confinement) is not trivial, and having a ready to use SCC for this purpose would help OpenShift users much.

Such a `nested` SCC should be based on the `restricted` SCC and allows the minimum permissions to run podman/buildah inside pods.
Needed permissions would include (to be verified):

permission to use unshare system call
permission to run as `unconfined` SeLinux container (see https://bugzilla.redhat.com/show_bug.cgi?id=2081037)

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

podman-in-pod-scc.yaml
0.9 kB
2023/11/13 2:21 PM

blocks

OSSM-1505 OCP 4.11 OSSM 2.1 ServiceMeshExtension fails to be ready

Closed

relates to

RUN-1627 Document & Test a custom scc for running podman in containers

To Do

Assignee:: Gaurav Singh

Reporter:: Emmanuel Kasprzyk

Votes:: 0 Vote for this issue

Watchers:: 15 Start watching this issue

Created:: 2022/05/19 2:05 PM

Updated:: 2024/07/26 2:15 PM

Resolved:: 2022/12/01 8:24 PM

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates