Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-2868

Add Security Context Constraint taylored to running Podman in a Pod

    XMLWordPrintable

Details

    • Feature Request
    • Status: Under Review (View Workflow)
    • Medium
    • Resolution: Unresolved
    • None
    • None
    • Node
    • False
    • None
    • False
    • Not Selected
    • 6,008

    Description

      With more and more stuff being containerized, people want to inspect / run containers in a Pod, without needing a privileged Pod.

      Currently this knowledge is in blog posts like https://www.redhat.com/sysadmin/podman-inside-kubernetes
      However understanding the implications of the changes needed (Seccomp profile, dropping SeLinux confinement) is not trivial, and having a ready to use SCC for this purpose would help OpenShift users much.

      Such a `nested` SCC should be based on the `restricted` SCC and allows the minimum permissions to run podman/buildah inside pods.
      Needed permissions would include (to be verified):

      Attachments

        Issue Links

          Activity

            People

              gausingh@redhat.com Gaurav Singh
              rhn-support-ekasprzy Emmanuel Kasprzyk
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated: