Loading...

XML

Word

Printable

Details

Type: Feature Request
Resolution: Done
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: Node
Labels:
- node
- vefsi

Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
Hierarchy Progress:
0
Hierarchy Progress Bar:

0% 0%

SFDC Cases Counter:
SFDC Cases Links:

Description

With more and more stuff being containerized, people want to inspect / run containers in a Pod, without needing a privileged Pod.

Currently this knowledge is in blog posts like https://www.redhat.com/sysadmin/podman-inside-kubernetes
However understanding the implications of the changes needed (Seccomp profile, dropping SeLinux confinement) is not trivial, and having a ready to use SCC for this purpose would help OpenShift users much.

Such a `nested` SCC should be based on the `restricted` SCC and allows the minimum permissions to run podman/buildah inside pods.
Needed permissions would include (to be verified):

permission to use unshare system call
permission to run as `unconfined` SeLinux container (see https://bugzilla.redhat.com/show_bug.cgi?id=2081037)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

podman-in-pod-scc.yaml
0.9 kB
2023/11/13 2:21 PM

Issue Links

blocks

OSSM-1505 OCP 4.11 OSSM 2.1 ServiceMeshExtension fails to be ready

Closed

relates to

RUN-1627 Document & Test a custom scc for running podman in containers

To Do

Activity

People

Assignee:: Gaurav Singh

Reporter:: Emmanuel Kasprzyk

Votes:: 0 Vote for this issue

Watchers:: 14 Start watching this issue

Dates

Created:: 2022/05/19 2:05 PM

Updated:: 2024/03/01 5:42 PM

Resolved:: 2022/12/01 8:24 PM