k0s
k0s copied to clipboard
Rootless mode
Is your feature request related to a problem? Please describe. Kubernetes can be run rootless (see Usernetes). k0s is a great distribution, but it would be better for security and convenience to be able to run it with a regular user privileges level.
Describe the solution you'd like
k0s controller --single --install-dir ~/k0s-install --data-dir ~/k0s-data
Install happens to the specified directory and data will be stored in data dir. Single-node cluster works without rooted components.
Pros:
- Security
- Controlled and self-contained installation directory, no extra dirs for containerd and so on outside of k0s dir
Cons: typical limitations of rootless containers
Describe alternatives you've considered k0s-in-rootless-docker would be harder to do.
Additional context That would be super-convenient to have a single-node k0s-based deployment for development purposes. Single-directory setup will be more controllable,
Run control-plane as non-root will be released as alpha feature in v1.22 of upstream k/k.
Currently k0s' control plane does run without root privileges. It runs the different control plane daemons as different users. k0s itself runs as root to be able start those process with separate non-root privileges. You should also be able to start k0s controller
itself as non-root, if you specify --data-dir to a place where the user has write access. In this case the entire control plane should run as the user that started it. etcd, scheduler, api server would run as the same non-root user.
It is a different story when it comes to the workers, including --single
. This may need some work.
The issue is marked as stale since no activity has been recorded in 30 days
The issue is marked as stale since no activity has been recorded in 30 days