Skip to content

Commit

Permalink
Describe device_ownership_from_security_context=true for Containerd v2 (
Browse files Browse the repository at this point in the history
#3452)

Signed-off-by: Andrei Kvapil <[email protected]>
  • Loading branch information
kvaps authored Oct 7, 2024
1 parent 0838360 commit 7b330eb
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions doc/block_cri_ownership_config.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,23 @@ This makes it problematic for our workloads to populate block devices, and has m
As explained in the source below, a solution that is seamless to end-users was chosen by the k8s community, without getting the device plugin vendors involved.
The selected approach was to re-use `runAsUser` and `runAsGroup` for devices, with an opt-in config entry for the CRI (`device_ownership_from_security_context`) that ensures no existing deployment breaks.
To use CDI, it is advised to opt-in.
For containerd:
For Containerd v1:
```toml
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
device_ownership_from_security_context = true
```
For Containerd v2:
```toml
[plugins]
[plugins."io.containerd.cri.v1.runtime"]
device_ownership_from_security_context = true
```
CRI-O:
```toml
[crio.runtime]
device_ownership_from_security_context = true
```

## Source
https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/
https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/

0 comments on commit 7b330eb

Please sign in to comment.