Skip to content

Latest commit

 

History

History
30 lines (27 loc) · 1.27 KB

block_cri_ownership_config.md

File metadata and controls

30 lines (27 loc) · 1.27 KB
Raw

device_ownership_from_security_context CRI configurable

Introduction

Unlike volumes with fsGroup, devices have no official notion of deviceGroup/deviceUser that the CRI runtimes (or kubelet) would be able to use.
This makes it problematic for our workloads to populate block devices, and has manifested itself in the form of this community issue.

Solution

As explained in the source below, a solution that is seamless to end-users was chosen by the k8s community, without getting the device plugin vendors involved.
The selected approach was to re-use runAsUser and runAsGroup for devices, with an opt-in config entry for the CRI (device_ownership_from_security_context) that ensures no existing deployment breaks.
To use CDI, it is advised to opt-in.
For Containerd v1:

[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    device_ownership_from_security_context = true

For Containerd v2:

[plugins]
  [plugins."io.containerd.cri.v1.runtime"]
    device_ownership_from_security_context = true

CRI-O:

[crio.runtime]
device_ownership_from_security_context = true

Source

https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/