io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw doesn't mount cgroupv2 as writable #8853
Description
This is more like a question, more than a bug report or feature request.
Problem statement:
- I'm trying to control resource consumption inside of a kubernetes pod via cgroupv2, which requires the write permission to
/sys/fs/cgroupwithin the container - Making pod privileged is a viable way, but exposing security concern since the container process basically runs as root process on the host;
- I notice years ago CRI already implemented writable cgroupv2 for unprivileged pods PR
The following is my deployment spec.
apiVersion: apps/v1
kind: Deployment
metadata:
name: stall-forever
annotations:
io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw: "true"
spec:
replicas: 1
selector:
matchLabels:
app: stall-forever
template:
metadata:
labels:
app: stall-forever
spec:
containers:
- name: stall-forever
image: dentiny:stall_image
securityContext:
capabilities:
add:
- SYS_RESOURCE
But checking the pod, cgroupv2 is still mounted in read-only mode.
ubuntu@hjiang-devbox-pg$ k exec -it stall-forever-755779544f-h4lb6 -- /bin/bash
root@stall-forever-755779544f-h4lb6:/app# mount | grep cgroup
cgroup on /sys/fs/cgroup type cgroup2 (ro,nosuid,nodev,noexec,relatime,nsdelegate)
My container runtime information:
ubuntu@hjiang-devbox-pg$ k get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
kind-control-plane Ready control-plane 3d4h v1.26.0 172.18.0.2 <none> Ubuntu 22.04.1 LTS 5.15.0-1072-aws containerd://1.6.12
I'm not sure how to apply the writable unprivileged pod?