device-plugins: Add fuse-device-plugin DaemonSet
The *fuse-device-plugin* handles mapping the `/dev/fuse` device into unprivileged containers, e.g. for `buildah`. Although *fuse-device-plugin* was recommended by Red Hat in their blog post [How to use Podman inside of Kubernetes][0], it's probably not the best choice any more. It's working for now, giving me the ability to build container images in Kubernetes without running `buildah` in a privileged container, but I will probably investigate replacing it with the [generic-device-plugin][1] eventually. [0]: https://www.redhat.com/sysadmin/podman-inside-kubernetes [1]: https://github.com/squat/generic-device-plugindch-webhooks-secrets
parent
f7a8f391ea
commit
934c07ceba
|
|
@ -0,0 +1,28 @@
|
||||||
|
# Device Plugins
|
||||||
|
|
||||||
|
Kubernetes [Device Plugins][0] are processes that map device nodes into
|
||||||
|
unprivileged containers. They provide an alternative to manually bind-mounting
|
||||||
|
devices using pod volumes, which typically requires granting container
|
||||||
|
processes more privileges than they would otherwise need.
|
||||||
|
|
||||||
|
|
||||||
|
## `fuse-device-plugin`
|
||||||
|
|
||||||
|
The [fuse-device-plugin][1] is a simple plugin that maps the `/dev/fuse` device
|
||||||
|
node into a container. This device node is required in order to use [FUSE][2]
|
||||||
|
filesystems. [Buildah][3], for example, used an FUSE implementation of
|
||||||
|
OverlayFS when building container images in an unprivileged container.
|
||||||
|
|
||||||
|
As of October 2023, Upsteam development of the `fuse-device-plugin` appears to
|
||||||
|
have stalled, and its "official" container image is several years old at this
|
||||||
|
point. While the project itself is simple and probably does not need much
|
||||||
|
maintenance, running a container based on an operating system that old is quite
|
||||||
|
dangerous. As such, I've created created [my own container image][4] for it
|
||||||
|
that gets rebuilt and updated automatically.
|
||||||
|
|
||||||
|
|
||||||
|
[0]: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/
|
||||||
|
[1]: https://github.com/kuberenetes-learning-group/fuse-device-plugin/tree/master
|
||||||
|
[2]: https://en.wikipedia.org/wiki/Filesystem_in_Userspace
|
||||||
|
[3]: https://buildah.io/
|
||||||
|
[4]: https://git.pyrocufflink.net/ContainerImages/fuse-device-plugin
|
||||||
|
|
@ -0,0 +1,30 @@
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: DaemonSet
|
||||||
|
metadata:
|
||||||
|
name: fuse-device-plugin
|
||||||
|
namespace: kube-system
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
name: fuse-device-plugin
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
name: fuse-device-plugin
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- image: git.pyrocufflink.net/containerimages/fuse-device-plugin
|
||||||
|
name: fuse-device-plugin
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
volumeMounts:
|
||||||
|
- name: device-plugin
|
||||||
|
mountPath: /var/lib/kubelet/device-plugins
|
||||||
|
hostNetwork: true
|
||||||
|
volumes:
|
||||||
|
- name: device-plugin
|
||||||
|
hostPath:
|
||||||
|
path: /var/lib/kubelet/device-plugins
|
||||||
Loading…
Reference in New Issue