[WIP] Make /proc/sys read-only with carve-outs for some sysctls #3518
Commits on Feb 13, 2024
-
Make /proc/sys read-only with carve-outs for some sysctls
This mounts a read-write version of /proc and /sys under /kind/private, which allows bind mounting and also makes use cases that need an unmasked proc or sys possible. /proc/sys is bind mounted read only per the systemd container interface[1]. Then some sysctls are made writable again by bind mounting across from the private /proc which was mounted. This may cause issues for privileged daemonsets which set sysctls which aren't namespaced (this may work anyway as often they set them to the same value on multiple nodes). That can be worked around by adding additional bind mounts via docker exec, making it clear kind can't support such interfaces and they might leak from the container. [1]: https://systemd.io/CONTAINER_INTERFACE/
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.