fcos: Mount /:/rootfs:ro to Kubelet
Kubelet fails to handle SELinux labelling of Cinder PV without
presenting the rootfs to Kubelet and as a result, an unprivileged
container lacks the ability to access the path.
With this patch, Kubelet handles the correct labelling automatically
when a Cinder PV is attached to a pod.
The default behaviour using system containers in Fedora Atomic is to
mount rootfs [1] but we did not implement the same behaviour in Fedora
CoreOS which was a mistake as this was a missing piece of code.
[1] https://github.com/openstack/magnum/blob/master/dockerfiles/kubernetes-kubelet/config.json.template#L335
Story: 2007413
Task: 39129
Change-Id: Id59c604928244bf49773b7519fa756d5b2814b69
(cherry picked from commit 1994e9448a
)
This commit is contained in:
parent
e9d56fd85d
commit
0feb2b1851
|
@ -187,6 +187,7 @@ ExecStart=/bin/bash -c '/usr/bin/podman run --name kubelet \\
|
|||
--pid host \\
|
||||
--network host \\
|
||||
--entrypoint /hyperkube \\
|
||||
--volume /:/rootfs:ro \\
|
||||
--volume /etc/cni/net.d:/etc/cni/net.d:ro,z \\
|
||||
--volume /etc/kubernetes:/etc/kubernetes:ro,z \\
|
||||
--volume /usr/lib/os-release:/usr/lib/os-release:ro \\
|
||||
|
|
|
@ -81,6 +81,7 @@ ExecStart=/bin/bash -c '/usr/bin/podman run --name kubelet \\
|
|||
--pid host \\
|
||||
--network host \\
|
||||
--entrypoint /hyperkube \\
|
||||
--volume /:/rootfs:ro \\
|
||||
--volume /etc/cni/net.d:/etc/cni/net.d:ro,z \\
|
||||
--volume /etc/kubernetes:/etc/kubernetes:ro,z \\
|
||||
--volume /usr/lib/os-release:/usr/lib/os-release:ro \\
|
||||
|
|
Loading…
Reference in New Issue