docker/buildx
1
0
Fork 0
mirror of https://gitea.com/Lydanne/buildx.git synced 2025-05-19 01:47:43 +08:00
Code Issues Packages Projects Releases 1 Wiki Activity

kubernetes: rootless: support Google Container-Optimized OS

Browse Source 
Tested with GKE Autopilot 1.24.3-gke.200 (kernel 5.10.123+, containerd 1.6.6).

ref: moby/buildkit PR 3097

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2022-09-09 08:12:58 +09:00
parent 25ceb90678
commit 33e5f47c6c
No known key found for this signature in database
GPG Key ID: 49524C6F9F638F1A
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
driver/kubernetes/manifest/manifest.go
View File

@ -213,6 +213,24 @@ func toRootless(d *appsv1.Deployment) error {
d.Spec.Template.ObjectMeta.Annotations = make(map[string]string, 1) d.Spec.Template.ObjectMeta.Annotations = make(map[string]string, 1)
} }
d.Spec.Template.ObjectMeta.Annotations["container.apparmor.security.beta.kubernetes.io/"+containerName] = "unconfined" d.Spec.Template.ObjectMeta.Annotations["container.apparmor.security.beta.kubernetes.io/"+containerName] = "unconfined"
// Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too,
// but the default VOLUME does not work with rootless on Google's Container-Optimized OS
// as it is mounted with `nosuid,nodev`.
// https://github.com/moby/buildkit/issues/879#issuecomment-1240347038
// https://github.com/moby/buildkit/pull/3097
const emptyDirVolName = "buildkitd"
d.Spec.Template.Spec.Containers[0].VolumeMounts = append(d.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
Name: emptyDirVolName,
MountPath: "/home/user/.local/share/buildkit",
})
d.Spec.Template.Spec.Volumes = append(d.Spec.Template.Spec.Volumes, corev1.Volume{
Name: emptyDirVolName,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
})
return nil return nil
} }