runtime icon indicating copy to clipboard operation
runtime copied to clipboard
verified publisher icon acorn-io

Run buildkitd pod in rootless mode

Open tekumara opened this issue 3 years ago • 4 comments

My corporate kubes cluster prevents pods running with securityContext privileged=true. So unfortunately acorn's buildkitd pod fails to start.

Also unfortunately I'm not a cluster admin, so can't easily change our cluster's settings. I first created a loft vcluster, to have my own kube control plane, and then installed acorn.

Are there good reasons for running buildkitd as a privileged pod? Or would it be possible to run buildkitd in rootless mode?

tekumara avatar Aug 21 '22 05:08 tekumara

Buildkit rootless seems to need unconfined seccomp and apparmor which very well might be reject too. For rootless setups probably the best approach would be to support another builder like kaniko that runs rootless better.

ibuildthecloud avatar Aug 29 '22 02:08 ibuildthecloud

Another thought is to support client side building. In your environment do you have docker on your laptop/desktop?

ibuildthecloud avatar Aug 29 '22 02:08 ibuildthecloud

Buildkit rootless seems to work in our cluster. I have docker locally on my mac m1 (arm64). Although I do like building in the cluster, because the cluster is amd64 and has a faster network to our package repositories.

tekumara avatar Aug 29 '22 04:08 tekumara

It's logical for us to switch to rootless. If your cluster is going to reject privileged, if it rejects rootless your no worse off than before.

ibuildthecloud avatar Sep 07 '22 01:09 ibuildthecloud

@ibuildthecloud - i wonder if @iwilltry42 should tackle this while he's refactoring buildkit to be exposed as a service LB. Tentatively putting it in v0.4 and assigning to him under that premise

cjellick avatar Oct 05 '22 18:10 cjellick