Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Allow Privileged Containers in Kubernetes on Google Container (GKE)

I am using a Kubernetes cluster deployed through Google Container Engine (GKE) from the Google Cloud Developer's Console, cluster version 0.19.3. I would like to run a privileged container, like in the Kubernetes NFS Server example:

apiVersion: v1
kind: Pod
metadata:
  name: nfs-server
  labels:
    role: nfs-server
spec:
  containers:
    - name: nfs-server
      image: jsafrane/nfs-data
      ports:
        - name: nfs
          containerPort: 2049
      securityContext:
        privileged: true

Since the default Google Container Engine configuration does not allow privileged containers, the Kubernetes API imediately returns the following error:

Error from server: Pod "nfs-server" is invalid: spec.containers[0].securityContext.privileged: forbidden '<*>(0xc20a027396)true'

How can I allow privileged containers in my Google Container Engine cluster?

like image 486
Caleb Avatar asked Jun 29 '15 19:06

Caleb


People also ask

How do you make a container privileged in Kubernetes?

Running a pod in a privileged mode means that the pod can access the host's resources and kernel capabilities. You can turn a pod into a privileged one by setting the privileged flag to `true` (by default a container is not allowed to access any devices on the host).

How can you enable clients inside a GKE cluster to be able to contact pods?

By default, you get a stable cluster IP address that clients inside the cluster can use to contact Pods in the Service. A client sends a request to the stable IP address, and the request is routed to one of the Pods in the Service.

How do I give access to GKE cluster?

To enable access to your user clusters using the GKE console, complete the following steps: Create a node-reader. yaml file that allows you to access the cluster. Apply this file to the cluster that you want to log into with the kubectl command.

What is privileged mode in Kubernetes?

privileged : determines if any container in a pod can enable privileged mode. By default a container is not allowed to access any devices on the host, but a "privileged" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host.


1 Answers

Update: Privileged mode is now enabled by default starting with the 1.1 release of Kubernetes which is now available in Google Container Engine.


Running privileged containers (including the NFS server in that example) isn't currently possible in Google Container Engine. We are looking at ways to solve this (adding a flag when creating your cluster to allow privileged containers; making privileged containers part of admission control; etc). For now, if you need to run privileged containers you'll need to launch your own cluster using the GCE provider.

like image 80
Robert Bailey Avatar answered Sep 24 '22 05:09

Robert Bailey