Vouch request: [ryanzhang-oss] #1701
ryanzhang-oss
started this conversation in
Vouch Request
Replies: 1 comment
-
|
The PR is #1698 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
What do you want to work on?
I want to fix the issue that we can't run openShell on AKS. The problem is that
AKS with containerd 2.1 + Ubuntu 24.04 blocks "mount --make-shared /run/netns" from inside the container, even with hostUsers: false and namespaced CAP_SYS_ADMIN. The supervisor needs that mount to set up the per-agent network namespace. Symptoms: pod stuck in CrashLoopBackOff, supervisor logs show the mount denial.
Root cause: /run is owned by the host's init user namespace. Userns alone doesn't help — only dropping seccomp, AppArmor, and locked-mount restrictions gets the call through.
Why this change?
I added a extra field in the open helm chart to allow the open shell to create priviledged pod as sandbox.
Checklist
Beta Was this translation helpful? Give feedback.
All reactions