mount: tmpfs is write-protected, mounting read-only
mount: cannot mount tmpfs read-only
failed.
basedon documentation re: annotations, and the containers creator, here is the relevant part of my deployment file:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: unifi-video
annotations:
container.apparmor.security.beta.kubernetes.io/unifi-video: "unconfined"
spec:
replicas: 1
template:
metadata:
labels:
app: unifi-video
spec:
hostname: unifi-video
nodeSelector:
kubernetes.io/hostname: mira-b.home
volumes:
- name: dockerdata
persistentVolumeClaim:
claimName: dockerdata-nas
- name: cameradata
persistentVolumeClaim:
claimName: cameras-nas
containers:
- name: unifi-video
image: pducharme/unifi-video-controller:3.9.7
securityContext:
capabilities:
add:
- SYS_ADMIN
- DAC_READ_SEARCH
IT specifically calls out
If you get this tmpfs mount error, add --security-opt apparmor:unconfined \ to your list of run options. This error has been seen on Ubuntu, but may occur on other platforms as well.
but from what I can find (over an hour googling now), the way to achieve this is k8s is via the annotation line.
Am i missing something?
Ended up getting the answer to this from k8s issue section. Annotations were in the wrong spot. Here's the correct way to do this:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: unifi-video
spec:
replicas: 1
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/unifi-video: unconfined
labels:
app: unifi-videoThis results in successfully deploying the container with apparmor allowing tempfs mounts.