spegel icon indicating copy to clipboard operation
spegel copied to clipboard

Published 20 hours ago verified publisher icon spegel-org

Reduce host permissions

Open phillebaba opened this issue 2 years ago • 1 comments

Currently Spegel requires access to the Containerd sock to function properly. This mean that it is basically root on the node. In reality Spegel only needs read only access to all of the layers and tags. The issue is that the containerd client is required to do tag resolution.

One option would be to switch over to using the CRI API. One drawback currently is that it does not have an event subscription service which we currently use with the containerd client.

If tags could be listed without the use of the containerd client the blobs directory could be mounted read only to the container and new layers could be detected with the help of a file watcher.

phillebaba avatar Feb 07 '23 09:02 phillebaba

Created containerd/containerd/issues/8085 to see if there is an immediate solution that I have not seen yet.

phillebaba avatar Feb 19 '23 10:02 phillebaba