How to run enroot in a managed K8s?

[elgalu]

Hi, how to setup enroot kernel config in a customized Kubernetes setup? Or perhaps this is not possible when running in a K8s unprivileged pod?

./enroot-check_*.run --verify
[ERROR] Could not find kernel configuration

cat /proc/sys/user/max_user_namespaces
3062836

cat /proc/sys/user/max_mnt_namespaces
3062836

cat /proc/sys/kernel/unprivileged_userns_clone
1

[3XX0]

Unfortunately this is not possible unprivileged because docker will block it through seccomp amongst other things. You could relax the seccomp filters though which should be safe if you're truly unprivileged.

[elgalu]

Thanks, do you know exactly how to configure my K8s Pod securityContext similar to containers/podman#8130 (comment) perhaps by leveraging seccomp.security.alpha.kubernetes.io ?

[3XX0]

Yeah maybe, I'm not really familiar with the new seccomp profiles in K8s.
You will most likely have to whitelist at least unshare and mount, probably a few other ones

[3XX0]

Any update? Could you make it work?

[elgalu]

Gave up on K8s, we'll go with SLURM + plain EC2.