I am using a Kubernetes cluster deployed through Google Container Engine (GKE) from the Google Cloud Developer's Console, cluster version 0.19.3. I would like to run a privileged container, like in the Kubernetes NFS Server example:
apiVersion: v1
kind: Pod
metadata:
name: nfs-server
labels:
role: nfs-server
spec:
containers:
- name: nfs-server
image: jsafrane/nfs-data
ports:
- name: nfs
containerPort: 2049
securityContext:
privileged: true
Since the default Google Container Engine configuration does not allow privileged containers, the Kubernetes API imediately returns the following error:
Error from server: Pod "nfs-server" is invalid: spec.containers[0].securityContext.privileged: forbidden '<*>(0xc20a027396)true'
How can I allow privileged containers in my Google Container Engine cluster?
Running a pod in a privileged mode means that the pod can access the host's resources and kernel capabilities. You can turn a pod into a privileged one by setting the privileged flag to `true` (by default a container is not allowed to access any devices on the host).
By default, you get a stable cluster IP address that clients inside the cluster can use to contact Pods in the Service. A client sends a request to the stable IP address, and the request is routed to one of the Pods in the Service.
To enable access to your user clusters using the GKE console, complete the following steps: Create a node-reader. yaml file that allows you to access the cluster. Apply this file to the cluster that you want to log into with the kubectl command.
privileged : determines if any container in a pod can enable privileged mode. By default a container is not allowed to access any devices on the host, but a "privileged" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host.
Update: Privileged mode is now enabled by default starting with the 1.1 release of Kubernetes which is now available in Google Container Engine.
Running privileged containers (including the NFS server in that example) isn't currently possible in Google Container Engine. We are looking at ways to solve this (adding a flag when creating your cluster to allow privileged containers; making privileged containers part of admission control; etc). For now, if you need to run privileged containers you'll need to launch your own cluster using the GCE provider.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With