Privileged notebook containers

[jacobtomlinson]

Does anyone have any thoughts on how to run the notebook pods as privileged to allow mounting FUSE filesystems? I can't see an option in the config anywhere.

Ideally we want to give notebooks access to S3 buckets as a local volume using s3-fuse (or similar).

[yuvipanda]

We could add an option in http://github.com/jupyterhub/kubespawner to make that happen.

However, I'd highly recommend writing a flexvolume provider instead. I wrote a custom one for NFS (https://github.com/yuvipanda/nfs-flex-volume) and it is simpler, more flexible, and works much better than using FUSE inside a privileged container IMO.

[jacobtomlinson]

I noticed in the kubespawner there is a kwarg to enable privileged on the create pod method. I just couldn't figure out how to enable it from the helm chart.

I'll look into the flexvolume providers, sounds interesting!

[choldgraf]

@mrocklin you may be interested in this thread as well

[mrocklin]

Yes, thanks for the link. Seeing the types of supported volumes is reassuring. I will say though that sometimes you still want FUSE, not for local storage but to manage global storage systems, like GCS through the gcsfuse project.

[jacobtomlinson]

Our use case is mounting in S3 buckets on our AWS cluster for data access (read only for now).

I've followed @yuvipanda's advice and created a flex-volume provider for our custom s3 fuse library (we rolled our own for reasons). Frustratingly it did require some customisation of the kubernetes worker base images to install the fuse library and driver.

Overall I'm happier with this approach than giving users privileged containers.

[yuvipanda]

@jacobtomlinson You should keep an eye on http://blog.kubernetes.io/2018/01/introducing-container-storage-interface.html which should solve your worker base image customization problem. It's also the future of FlexVolume...

/cc @mrocklin who is doing very similar things with GCSFuse (and possibly s3)

[yuvipanda]

I'm going to bump this off the 0.6 milestone because we sortof ran out of time, sorry! Should make it in for 0.7.

[choldgraf]

A note that CSI is now in beta. Not sure to what capacity we'll "support" this, but just FYI.

[consideRatio]

What is the actual actionplan for this issue?

Related docs

• about a pods securityContext set in the pod spec.

  spec:
    securityContext:
      runAsUser: 1000
      fsGroup: 2000

• about a containers securityContext

  # neste under spec.containers on a specific container
    securityContext:
      allowPrivilegeEscalation: false

[consideRatio]

I have a PR open now with regards to setting all the kinds of k8s privileges on pods, and discuss configuring kubespawner through the Helm chart as well, see: #1798

I'm closing this as a stale question at this point.