K
Q

How to mount as nosuid a volume in kubernetes manifest file

6/9/2017

I am using docker service and kubernetes for container orchestration.

I would like to have all the volumes mounted from the host with the option nosuid.

Emptydir volumes could also live without suid. The only question is whether kubernetes supports specifying such mount options or if they can be handled somehow else.

 findmnt
  TARGET                  SOURCE      FSTYPE          OPTIONS
  /                       /dev/vda1   ext4            rw,noatime,seclabel,data=ordered
  ├─/sys                  sysfs       sysfs          rw,relatime,seclabel
  │ ├─/sys/kernel/security  securityfs  securityfs     rw,nosuid,nodev,noexec,relatime
  │ ├─/sys/fs/cgroup        tmpfs       tmpfs          ro,nosuid,nodev,noexec,seclabel,mode=755
  │ │ ├─/sys/fs/cgroup/systemd  cgroup      cgroup         rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/sy
  ...
  ├─/var/lib/kubelet/pods/05f79fe8-3fab-11e7-8c7b-d00d8969ec73/volumes/kubernetes.io~secret/default-token-lnpbh       tmpfs       tmpfs          rw,relatime,seclabel
  ├─/var/lib/kubelet/pods/0911e563-3fab-11e7-8c7b-d00d8969ec73/volumes/kubernetes.io~secret/default-token-lnpbh       tmpfs       tmpfs          rw,relatime,seclabel
  ├─/var/lib/kubelet/pods/b550adbd-3fbf-11e7-8c7b-d00d8969ec73/volumes/kubernetes.io~empty-dir/data                   tmpfs       tmpfs          rw,relatime,seclabel

Related issue from kubernetes: https://github.com/kubernetes/kubernetes/issues/48912

-- belabrinel
docker-volume
kubernetes

Similar Questions

Rancher CLI update loadbalancer
Among Kubernetes, OpenShift, Docker Swarm and Docker DataCenter deployment tools which all are having automatic rollback?
How to setup kube-aggregator?
Cloud SDK command gsutil config -a

1 Answer

7/16/2017

As you mentioned, EmptyDir volumes can live without suid is correct but, as of now, there is no way to mention nosuid kind of mount options in Kubernetes Volume manifests.

-- Suraj Narwade
Source: StackOverflow