You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# for /tmp
mount | grep "on / "
overlay on / type overlay (rw,seclabel,relatime,lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/26481/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/26480/fs,upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/26558/fs,workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/26558/work)
# for /binaries
mount | grep "on /binaries "
/dev/sda7 on /binaries type ext4 (rw,seclabel,nosuid,nodev,noexec,relatime,stripe=64)
Which shows noexec for /binaries (but not for /tmp though).
What did you expect to happen?
vcluster create is OK
How can we reproduce it (as minimally and precisely as possible)?
Deploy a kubernetes cluster and configures it to bind any emptyDir to a partition with noexec. Then deploy vcluster.
Anything else we need to know?
Currently, it seems this behavior is particular to the Kubernetes environment I am deploying it into. Generally speaking, it seems the emptyDir are not mounted as noexec. However seeing kubernetes/kubernetes#48912 , it seems we are going in the direction of more security with emptyDir mounted as noexec (by default or with options).
I could ask the kubernetes admin if they can change the behavior of emptyDir, so that the partition are not noexec. It might be difficult for them to lower the security. Moreover, the kubernetes issue kubernetes/kubernetes#48912 might make this a future issue for vcluster anyway.
What if vcluster image directly contains the two binaries? I don't know about licence but that would prevent this trick and we could then have noexec in the image and in emptyDir.
@antoinetran Hi, thanks for opening this. to answer your question What if vcluster image directly contains the two binaries? the issue here is that we default to the current k8s version of the host (e.g. if you're on 1.27 in the host cluster the image will be pulled from k8s 1.27) and this is also configurable. So we would have to have at least 4 different images just for the k8s distro, plus the images would have to also include the scheduler and the controller even if not in use and BYOI would be harder too
The issue you linked may be a problem indeed for this approach, I will be taking a look
What happened?
In an environment where any emptyDir is mounted to a partition in host, with noexec, vcluster create will give:
After editing the pod for debug with strace:
If copied to /tmp, vcluster works.
Mount command gives:
Which shows noexec for /binaries (but not for /tmp though).
What did you expect to happen?
vcluster create is OK
How can we reproduce it (as minimally and precisely as possible)?
Deploy a kubernetes cluster and configures it to bind any emptyDir to a partition with noexec. Then deploy vcluster.
Anything else we need to know?
Currently, it seems this behavior is particular to the Kubernetes environment I am deploying it into. Generally speaking, it seems the emptyDir are not mounted as noexec. However seeing kubernetes/kubernetes#48912 , it seems we are going in the direction of more security with emptyDir mounted as noexec (by default or with options).
From my understanding of the code (see https://github.com/loft-sh/vcluster/blob/v0.20.0-beta.1/chart/templates/_init-containers.tpl), the initContainers are here to inject vcluster, only to do a cp command (because the cp is not present in the kubernetes images), to get kube-controller-manager and kube-apiserver binaries into vcluster image. This needs emptyDir mounted as exec.
Host cluster Kubernetes version
Host cluster Kubernetes distribution
kubespray
vlcuster version
Vcluster Kubernetes distribution(k3s(default)), k8s, k0s)
OS and Arch
The text was updated successfully, but these errors were encountered: