I'm implementing support to a CSIDriver that uses Bidirectional Mount Propagation. This requires that the container be Privileged, but in this project, we are not allowed to use privileged containers.
There is any other way to do this? I've tried to use SYS_ADMIN capability, but it did not work.
- name: spiffe-csi-driver
image: ghcr.io/spiffe/spiffe-csi-driver:0.1.0
imagePullPolicy: IfNotPresent
args: [
"-workload-api-socket-dir", "/spire-agent-socket",
"-csi-socket-path", "/spiffe-csi/csi.sock",
]
env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- mountPath: /spire-agent-socket
name: spire-agent-socket
readOnly: true
- mountPath: /spiffe-csi
name: spiffe-csi-socket-dir
# The volume containing mount points for containers.
- mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
name: mountpoint-dir
securityContext:
privileged: true # need to remove
# capabilities: # this didn't work
# add:
# - SYS_ADMIN
CodePudding user response:
According to K8s official documentation:
it is allowed only in privileged containers.