m/n/k/containerd: set device ownership based on security context When a user deploys a pod with a kvm device it is owned by root. By setting device_ownership_from_security_context to true, containerd will chown these devices to the uid/gid set in the securityContext. For more informations see https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/ Change-Id: I1a0285dfc560c3c662d5e2eb8e37e68d87408b83 Reviewed-on: https://review.monogon.dev/c/monogon/+/3428 Tested-by: Jenkins CI Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

commit: e337e938ae8e08dffa3a01045571188413ce70ff [log] [tgz]
author: Tim Windelschmidt <tim@monogon.tech> Sun Sep 15 20:14:39 2024 +0200
committer: Tim Windelschmidt <tim@monogon.tech> Wed Sep 18 22:27:59 2024 +0000
tree: f82fa1f5722c3eae99506510056fb6a5ce736309
parent: 7a1b27df41a9729dd9669cdaabd6864afc5e85b7 [diff] [blame]
diff --git a/metropolis/node/kubernetes/containerd/config.toml b/metropolis/node/kubernetes/containerd/config.toml
index 177e0d0..5129081 100644
--- a/metropolis/node/kubernetes/containerd/config.toml
+++ b/metropolis/node/kubernetes/containerd/config.toml

@@ -65,6 +65,7 @@
     restrict_oom_score_adj = false
     max_concurrent_downloads = 3
     disable_proc_mount = false
+    device_ownership_from_security_context = true
     [plugins."io.containerd.grpc.v1.cri".containerd]
       snapshotter = "overlayfs"
       default_runtime_name = "runc"
commit	e337e938ae8e08dffa3a01045571188413ce70ff	[log] [tgz]
author	Tim Windelschmidt <tim@monogon.tech>	Sun Sep 15 20:14:39 2024 +0200
committer	Tim Windelschmidt <tim@monogon.tech>	Wed Sep 18 22:27:59 2024 +0000
tree	f82fa1f5722c3eae99506510056fb6a5ce736309
parent	7a1b27df41a9729dd9669cdaabd6864afc5e85b7 [diff] [blame]