[Discuss] unprivileged rootful podman in kubernetes

[DekusDenial]

Having read about different ways of operating podman in various environments, it certainly feels like getting this CSI project to work with podman in unprivileged container in kubernetes would be a very interesting and strong use case which will benefit many.

The challenge ahead may be getting the fusermount proxy to somehow “work” with fuse-overlayfs when podman is configured to use overlay as the storage driver. And currently without granting SYS_ADMIN rootful podman simply does not work in a unprivileged container in a kubernetes pod.

[utam0k]

👋 Hi, @saschagrunert and @giuseppe. Is there currently any reference or something on running Podman within pods without privileged:true?
We have started the project to run fuse without requiring privileges within pods. It seems like it would be worthwhile to use this project to run fuse-overlayfs to run rootless podman.

[utam0k]

FYI: We need to take the rootless network and some system calls(mount(2)) into consideration.

[naoki9911]

It seems fuse-overlayfs calls low-level api fuse_session_mount and it calls fusermount3 in fuse_kern_mount.
https://github.com/containers/fuse-overlayfs/blob/18f4d6768ab2178f0147c1bac0ccfd7d44841a56/main.c#L5883C7-L5883C25
https://github.com/libfuse/libfuse/blob/3f6cf537b77597d89bebd8387e93d4e42428b966/lib/fuse_lowlevel.c#L3179

I think this plugin can mount fuse-overlayfs, but its mount destination is statically defined in pod's manifest.
AFAIK, Podman requires fuse-overlayfs to be mounted to each container's directory and the directories are dynamically specified.
Current meta-fuse-csi-plugin cannot handle such dynamic behavior.

[giuseppe]

👋 Hi, @saschagrunert and @giuseppe. Is there currently any reference or something on running Podman within pods without privileged:true?
We have started the project to run fuse without requiring privileges within pods. It seems like it would be worthwhile to use this project to run fuse-overlayfs to run rootless podman.

in this case you'd need to be able to create a user namespace. Podman can run in a pod without privileges as long as /proc is unmasked and it can create a user namespace. Without an unmasked /proc it is only able to build container images with --isolation=chroot)

[utam0k]

👍 I didn't know --isolation=chroot. Thanks ;)

Without an unmasked /proc it is only able to build container images with --isolation=chroot)