Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specify security context for procMount #19881

Closed
krisdevopsbot opened this issue Sep 6, 2023 · 3 comments · Fixed by #19885
Closed

Specify security context for procMount #19881

krisdevopsbot opened this issue Sep 6, 2023 · 3 comments · Fixed by #19885
Assignees
@rhatdan
Labels
kind/feature Categorizes issue or PR as related to a new feature. kube locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@krisdevopsbot
Copy link

krisdevopsbot commented Sep 6, 2023
edited
Loading

Feature request description

Add feature parity with podman run --security-opt=unmask=/proc/* to podman play kube for procMount security opts. This is necessary for podman in podman containers which fork (things like bazel) to work properly

Related to #19440 (comment)

Suggest potential solution

    securityContext:
      procMount: "Unmasked"

Have you considered any alternatives?

podman run works however YML is generally cleaner to use

Additional context

Add any other context or screenshots about the feature request here.
@krisdevopsbot krisdevopsbot added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 6, 2023
@rhatdan
Copy link
Member

rhatdan commented Sep 6, 2023

Is

    securityContext:
      procMount: "Unmasked"

Valid for k8s?

@krisdevopsbot
Copy link
Author

Is

    securityContext:
      procMount: "Unmasked"

Valid for k8s?

https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand/
There are only two valid options for this entry: Default, which maintains the standard container runtime behavior, or Unmasked, which removes all masking for the /proc filesystem.

@rhatdan rhatdan self-assigned this Sep 7, 2023
@rhatdan rhatdan mentioned this issue Sep 7, 2023
Merged
@rhatdan rhatdan added the kube label Sep 7, 2023
@rhatdan
Copy link
Member

rhatdan commented Sep 7, 2023

I opened a PR to handle this.

rhatdan added a commit to rhatdan/podman that referenced this issue Sep 7, 2023
@rhatdan
Add support for kube securityContext\.procMount
b834850 
Fixes: containers#19881

Signed-off-by: Daniel J Walsh <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Dec 8, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rhatdan rhatdan

Labels
kind/feature Categorizes issue or PR as related to a new feature. kube locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for kube securityContext.procMount rhatdan/podman
2 participants
@krisdevopsbot @rhatdan