Add note about volume with unprivileged container #12301
Conversation
openshift-ci
bot
added
the
approved
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan, umohnani8 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| @@ -124,6 +124,15 @@ func (ic *ContainerEngine) GenerateKube(ctx context.Context, nameOrIDs []string, | |||
| if err != nil { | |||
| return nil, err | |||
| } | |||
| if len(po.Spec.Volumes) != 0 { | |||
| warning := ` | |||
| # NOTE: If you generated this yaml from an unprivileged and rootless podman container on an SELinux | |||
There was a problem hiding this comment.
Isn't this something we can know? We know if we're rootless, and AFAIK the SELinux package has the ability to check if we're enabled
There was a problem hiding this comment.
We could check for that and add the privileged: true option, but that would be assuming the user wants to run a privileged container. We could add a warning that we made it privileged due to volumes.
There was a problem hiding this comment.
Well the spec file could be shared with people on a different system with SELinux enabled.
There was a problem hiding this comment.
Why are we doing this in podman generate kube, now that I think about this? This mostly seems like an issue for podman play kube - shouldn't we warn people there, given the problems show up when the YAML is run?
There was a problem hiding this comment.
It shows up when we run the yaml in a kubernetes cluster, so makes more sense to put the warning on the generate side.
There was a problem hiding this comment.
The note will be added to the generated yaml, so users should see it when using it in a kubernetes cluster or with play kube.
|
LGTM |
Add a note to the generated kube yaml if we detect a volume is being mounted. The note lets the user know what needs to be done to avoid permission denied error when trying to access the volume for an unprivileged container. Add the same note to the man pages. NO NEW TESTS NEEDED Signed-off-by: Urvashi Mohnani <[email protected]>
|
This is ready to merge @rhatdan PTAL |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
NO NEW TESTS NEEDED
Signed-off-by: Urvashi Mohnani [email protected]
What this PR does / why we need it:
Add a note to the generated kube yaml if we detect a
volume is being mounted. The note lets the user know
what needs to be done to avoid permission denied error
when trying to access the volume for an unprivileged
container.
Add the same note to the man pages.
How to verify it
Add volumes to your podman container and call
podman generate kubeon it - the generated yaml should have a note about volumes in it.Which issue(s) this PR fixes:
Fixes #11916
Special notes for your reviewer: