Can I run privileged containers in Gravity?


#1

Ported from support slack

What about privileged containers and hostMode? I require loading of kernel modules from within a container, that’s why I need privileged


#2

There is no need to turn on privileged in apiserver with gravity if you want to add extra capabilities to the containers, for example:

CAP_SYS_MODULE
              * Load and unload kernel modules (see init_module(2) and
                delete_module(2));
              * in kernels before 2.6.25: drop capabilities from the system-
                wide capability bounding set.```

Could be added through Pod security policies.


#3

If you would still have to add privleged=true, right now you would have to patch systemd unit spec inside gravity:

$ sed -i 's/allow-privileged=false/allow-privileged=true/g' /lib/systemd/system/kube-*
$ systemctl daemon-reload
$ systemctl restart 'kube-*'

The upcoming release will support ClusterConfiguration resource to set this and other parameters in the apiserver after the install.


#4

https://gravitational.com/gravity/docs/cluster/#cluster-configuration