I am using docker service and kubernetes for container orchestration.
I would like to have all the volumes mounted from the host with the option nosuid.
Emptydir volumes could also live without suid. The only question is whether kubernetes supports specifying such mount options or if they can be handled somehow else.
findmnt
TARGET SOURCE FSTYPE OPTIONS
/ /dev/vda1 ext4 rw,noatime,seclabel,data=ordered
├─/sys sysfs sysfs rw,relatime,seclabel
│ ├─/sys/kernel/security securityfs securityfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/cgroup tmpfs tmpfs ro,nosuid,nodev,noexec,seclabel,mode=755
│ │ ├─/sys/fs/cgroup/systemd cgroup cgroup rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/sy
...
├─/var/lib/kubelet/pods/05f79fe8-3fab-11e7-8c7b-d00d8969ec73/volumes/kubernetes.io~secret/default-token-lnpbh tmpfs tmpfs rw,relatime,seclabel
├─/var/lib/kubelet/pods/0911e563-3fab-11e7-8c7b-d00d8969ec73/volumes/kubernetes.io~secret/default-token-lnpbh tmpfs tmpfs rw,relatime,seclabel
├─/var/lib/kubelet/pods/b550adbd-3fbf-11e7-8c7b-d00d8969ec73/volumes/kubernetes.io~empty-dir/data tmpfs tmpfs rw,relatime,seclabel
Related issue from kubernetes: https://github.com/kubernetes/kubernetes/issues/48912
As you mentioned, EmptyDir
volumes can live without suid
is correct but, as of now, there is no way to mention nosuid
kind of mount options in Kubernetes Volume manifests.