Can I run privileged containers in Gravity?

Ported from support slack

What about privileged containers and hostMode? I require loading of kernel modules from within a container, that’s why I need privileged

There is no need to turn on privileged in apiserver with gravity if you want to add extra capabilities to the containers, for example:

CAP_SYS_MODULE
              * Load and unload kernel modules (see init_module(2) and
                delete_module(2));
              * in kernels before 2.6.25: drop capabilities from the system-
                wide capability bounding set.```

Could be added through Pod security policies.

If you would still have to add privleged=true, right now you would have to patch systemd unit spec inside gravity:

$ sed -i 's/allow-privileged=false/allow-privileged=true/g' /lib/systemd/system/kube-*
$ systemctl daemon-reload
$ systemctl restart 'kube-*'

The upcoming release will support ClusterConfiguration resource to set this and other parameters in the apiserver after the install.

https://gravitational.com/gravity/docs/cluster/#cluster-configuration

hi what will be the clusterconfiguration to enable privilaged containers? do we have any sample example?

1 Like

+1
I’m wanting to run calico and the Daemon set will require privileged as well based on the install yaml I found at calico site.

I am also trying to run Calico here and require privileged. Has anyone found a successful way? I’d like to use PSP to do so. Currently using Gravity 5.5.15 (k8s < 1.15). I’d like to stay away from modifying Planet kubelet service to “–allow-privileged=true” during tele build.

It looks like Gravity version 6.1.2 bumps K8s up to 1.15 which deprecates kubelet’s “–allow-privileged” flag. I have yet to try this newer version, but I’d like to understand exactly how the current Cluster policy stops privileged containers from executing even though the service account is using “privileged-psp-users” ClusterRole which itself references the default privileged PSP.

The reasons for wanting to use Calico are BGP and network policy support.

Is there any example of using PSP to get around whatever flags Gravity sets to disallow privilege? I always see the following error: " Forbidden: disallowed by cluster policy" even when trying to associated the service-account with “privileged-psp-user” or “cluster-admin”. Version 5.5.15 or 6.1.2.

The kube-apiserver also takes an allow-privileged flag, which I believe will prevent any privileged containers from being run against the cluster, so even though the kubelet flag was removed, this doesn’t entirely get rid of the hard-code that disables privileged containers. The flag overrides anything configured via a PSP.

On the other hand we’ve begun to work on exposing a supported method to enable privileged containers, as there is too much third-party software that doesn’t require but uses privileged containers instead of fine grained security controls, which is difficult to run on gravity.

1 Like

PR is on the way:

:passenger_ship:

1 Like

Official support for privileged containers has been released in 6.1.4 / 6.0.7.

Release Notes:
https://gravitational.com/gravity/docs/changelog/#614-september-9th-2019

Docs:
https://gravitational.com/gravity/docs/faq/#running-privileged-containers

@mmellin FYI

3 Likes

This topic was automatically closed 12 hours after the last reply. New replies are no longer allowed.