publicWagsHome
/
buildx
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #1310 from AkihiroSuda/gcos-rootless

Browse Source 
kubernetes: rootless: support Google Container-Optimized OS  (Fix ` Options:[rbind ro]}]: operation not permitted` errors)
pull/1352/head
CrazyMax 2 years ago committed by GitHub
parent 398da1f916 33e5f47c6c
commit 8c86afbd57
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File

18
driver/kubernetes/manifest/manifest.go
Unescape Escape View File

@ -213,6 +213,24 @@ func toRootless(d *appsv1.Deployment) error {
d.Spec.Template.ObjectMeta.Annotations = make(map[string]string, 1) d.Spec.Template.ObjectMeta.Annotations = make(map[string]string, 1)
} }
d.Spec.Template.ObjectMeta.Annotations["container.apparmor.security.beta.kubernetes.io/"+containerName] = "unconfined" d.Spec.Template.ObjectMeta.Annotations["container.apparmor.security.beta.kubernetes.io/"+containerName] = "unconfined"
// Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too,
// but the default VOLUME does not work with rootless on Google's Container-Optimized OS
// as it is mounted with `nosuid,nodev`.
// https://github.com/moby/buildkit/issues/879#issuecomment-1240347038
// https://github.com/moby/buildkit/pull/3097
const emptyDirVolName = "buildkitd"
d.Spec.Template.Spec.Containers[0].VolumeMounts = append(d.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
Name: emptyDirVolName,
MountPath: "/home/user/.local/share/buildkit",
})
d.Spec.Template.Spec.Volumes = append(d.Spec.Template.Spec.Volumes, corev1.Volume{
Name: emptyDirVolName,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
})
return nil return nil
} }

Write Preview
Loading…
Cancel
Save