Mark Rossetti
Mark Rossetti
Found the PR to block this - https://github.com/kubernetes-sigs/image-builder/pull/694
From reading through the comments it sounds like we want to run some of the containers as `ContainerAdministrator` so they can get wire server access.
> From reading through the comments it sounds like we want to run some of the containers as `ContainerAdministrator` so they can get wire server access. Oops, looks like we...
I spoke with @jsturtevant and I think the right course of action here is to run the csi-driver containers as HostProcess containers. We can run HostProcess containers as system accounts...
Oops, sorry I mixed ups IMDS and wireserver. I'm not sure why IMDS access is blocked here.
@jsturtevant do we need to manually create a route for IMDS endpoints for calico? I see https://github.com/kubernetes-sigs/sig-windows-tools/blob/42d4411003b94e086356f891b278d452fc8f50e8/hostprocess/flannel/flanneld/start.ps1#L28-L31 for flannel (running with host-process containers) but not for calico.
I confirmed that container in aks-engine clusters have access to IMDS. I also confirmed that containers in CAPZ clusters (running both as ContainerUser and ContainerAdministrator) do not. I'll try and...
> and when I start a driver pod, it cannot access api-server using kubeconfig on the windows node, error is like following: > > ``` > 2022-03-08T04:29:27.4405461Z stderr F I0308...
> @marosset @daschott should we keep this issue open? We worked around the issue by running the CSI drivers in hostProcess containers which can access metadata. I think we should...