cri-o: userns-mode: cannot use uidmapping or gidmapping if not running as root
Hi there,
i’m playing around with the userns-mode feature introduced in ad2ed3b79251ffa2f60f28ba4a975b24abc9d311
I noticed that is’s only possible to use the uidmapping and gidmapping settings if the pod runs as root.
apiVersion: v1
kind: Pod
metadata:
name: mypod
annotations:
io.kubernetes.cri-o.userns-mode: "private:uidmapping=0:100000:90000;gidmapping=0:100000:90000"
spec:
nodeSelector:
kubernetes.io/hostname: mynode
securityContext:
runAsUser: 0
containers:
- name: busybox
image: docker.io/library/busybox:latest
command:
- sleep
- "3600"
If I remove spec.securityContext.runAsUser: 0 I’ll get the following error:
cannot use uidmapping or gidmapping if not running as root
But if possible I want to run the containers as non-root. So out of curiosity I disabled the user check and recompiled cri-o - and it works perfectly fine without it.
@giuseppe Is there a reason for this limitation ?
Environment
- uname: 5.10.43-1-lts
- cat /etc/os-release: NAME=“Arch Linux”
- crio --version: v1.20.3 (modified with the above check disabled)
- runc --version: v1.0.2-0-g52b36a2d
- kubelet --version: v1.20.7
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 18 (10 by maintainers)
The additional IDs for the user are currently used for creating the user namespace when using “rootless” CRI-O, that is the same mechanism used by other container tools like Podman and Buildah.
We could probably extend the
uidmapping=attribute to also consider the additional IDs when running as root, as you’ve suggested. That seems like a good idea.