sig-node: Kubelet-in-UserNS, aka Rootless mode #1371
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @AkihiroSuda. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
k8s-ci-robot
added
kind/kep
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
AkihiroSuda
force-pushed
the
rootless2
branch
3 times, most recently
from
474b798 to
92d0c3d
Compare
|
/assign @dchen1107 @derekwaynecarr |
|
ping |
|
@AkihiroSuda i've added this to the weekly sig-node meeting. let's see if we can get some eyes there |
|
Thanks, but I'm not likely to be able to attend the meeting due to the timezone, sorry. |
|
@AkihiroSuda no worries, i will raise it on your behalf :) |
|
isn't it blocked on #1370? |
|
I think we should tackle cgroups v2 first which has a related KEP. I would prefer we track rootless behaviors in the cgroups v2 KEP which still needed further iteration. |
AkihiroSuda
force-pushed
the
rootless2
branch
4 times, most recently
from
eedcda6 to
6a14171
Compare
|
Updated PR to address comments, thanks all for reviewing! |
There was a problem hiding this comment.
This seems like an incredibly expensive way (from a network POV) to get rid of root-components and the resulting semantics seem dodgy (those rlimits are configured for a reason).
That said, the request, as far as I can see, is pretty non-invasive, so who am I to tell you what (not) to do?
| know that this has succeeded? | ||
| --> | ||
|
|
||
| - Allow `kubelet` and `kube-proxy` to be executed inside user namespaces create by a non-root user. See ["Required changes to Kubernetes"](#required-changes-to-kubernetes). |
There was a problem hiding this comment.
... windows has these 'kernel silos' or something like that, need @jsturtevant to weigh in here, on what this would mean for hostProcess containers....
|
I guess that nodeports are generally high numbers, so non-root is ok. As I
write that, I assumed iptables (which would suck less than userspace).
…On Mon, May 17, 2021, 6:21 PM Akihiro Suda ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In keps/sig-node/2033-rootless/README.md
<#1371 (comment)>
:
> +$ nsenter -t $ROOTLESSKIT_CHILD_PID -a kube-proxy ... &
+$ nsenter -t $ROOTLESSKIT_CHILD_PID -a flanneld ... &
+```
+
+#### Paths
+
+Some paths like `/var/log/pods` are hardcoded in Kubernetes and hard to change.
+
+Although these directories are not writable by unprivileged users, Kubernetes does NOT need to be changed to use unprivileged home directories,
+because RootlessKit can bind-mount writable directories on these paths without the root privileges. (`rootlesskit --copy-up=/var`)
+
+#### Network
+The node components need to be executed in RootlessKit's network namespace, because an unprivileged user cannot do privileged operations in the host network namespace.
+As the components are executed inside a network namespace, `NodePorts` are not directly accessible from other hosts.
+
+An external controller should watch changes on `corev1.Service` resources and call [RootlessKit API](https://github.com/rootless-containers/rootlesskit/blob/v0.11.1/pkg/api/openapi.yaml) to set up port forwarding for the node ports.
No, the port forwarder is rootless too. This port forwarder is needed
because kube-proxy cannot listen on ports outside the namespace.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1371 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVB2GZYUPGMPTPNYXYDTOG6JVANCNFSM4JOY5PKQ>
.
|
There is an experiment to remove slirp overhead by using |
Signed-off-by: Akihiro Suda <[email protected]>
k8s-ci-robot
added
the
lgtm
|
@ehashman please approve! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: AkihiroSuda, derekwaynecarr, ehashman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@ehashman Thanks for approval, can we get this merged? SIG-release approved this in v1.22 milestone, with the merge deadline May 25. |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
Thanks @dims! |
Allow running the entire Kubernetes components (
kubelet, CRI, OCI, CNI, and allkube-*) as a non-root user on the host, by using a user namespace and cgroup v2 (#1370).Rootless mode has been already adopted by k3s.
Also, kind already supports Rootless Docker/Podman, with unmodified Kubernetes, but it uses very dirty hack to avoid sysctl errors, so this KEP still has to be accepted.
Replaces #1084
POC: https://github.com/rootless-containers/usernetes
Kubernetes PR: kubernetes/kubernetes#92863
Tracking issue: #2033