From 33e5f47c6c58c6f719d1f71a813b4980955bdc26 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Fri, 9 Sep 2022 08:12:58 +0900
Subject: [PATCH] kubernetes: rootless: support Google Container-Optimized OS

Tested with GKE Autopilot 1.24.3-gke.200 (kernel 5.10.123+, containerd 1.6.6).

ref: moby/buildkit PR 3097

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 driver/kubernetes/manifest/manifest.go | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/driver/kubernetes/manifest/manifest.go b/driver/kubernetes/manifest/manifest.go
index 1a9ebe5a..7eadcb0b 100644
--- a/driver/kubernetes/manifest/manifest.go
+++ b/driver/kubernetes/manifest/manifest.go
@@ -213,6 +213,24 @@ func toRootless(d *appsv1.Deployment) error {
 		d.Spec.Template.ObjectMeta.Annotations = make(map[string]string, 1)
 	}
 	d.Spec.Template.ObjectMeta.Annotations["container.apparmor.security.beta.kubernetes.io/"+containerName] = "unconfined"
+
+	// Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too,
+	// but the default VOLUME does not work with rootless on Google's Container-Optimized OS
+	// as it is mounted with `nosuid,nodev`.
+	// https://github.com/moby/buildkit/issues/879#issuecomment-1240347038
+	// https://github.com/moby/buildkit/pull/3097
+	const emptyDirVolName = "buildkitd"
+	d.Spec.Template.Spec.Containers[0].VolumeMounts = append(d.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
+		Name:      emptyDirVolName,
+		MountPath: "/home/user/.local/share/buildkit",
+	})
+	d.Spec.Template.Spec.Volumes = append(d.Spec.Template.Spec.Volumes, corev1.Volume{
+		Name: emptyDirVolName,
+		VolumeSource: corev1.VolumeSource{
+			EmptyDir: &corev1.EmptyDirVolumeSource{},
+		},
+	})
+
 	return nil
 }