How can I attach host devices (/dev/XYZ) to a non-privileged POD

General Discussions
1

Cluster information:

Kubernetes version: 1.26.1
Cloud being used: (put bare-metal if not on a public cloud)
Installation method:
Host OS: CentOS 8.5
CNI and version:
CRI and version:

We loaded our driver in SR-IOV mode, exposed VFs and attached all VFs to host as CharDevices from /dev/XYZ_1 to /dev/XYZ_30.

When we attach each device to individual PODs, container applications are working as expected in privileged mode.

As we should not create privileged PODs due to security issues, we are allowed to create only non-privileged containers.

But in non-priviledge mode we are facing below error:

Failed to open device /dev/XYZ_0
Failed to mmap 1234 memory, errno: 9
Failed to map 1234 memory, errno: 9
Failed to map slab buffers 19K
Failed to init our driver
error code 44440085, errno 9 Bad file descriptor

Please help us in fixing this issue. Thanks in advance.

1 Like
2

Can you share your pod definition?

3

Here is the Pod definition:

apiVersion: v1
kind: Pod
metadata:
name: p1
spec:
containers:

  • name: p1
    image: centos:8
    command: [“/bin/sh”]
    args: [“-c”, “while true; do echo hello; sleep 10;done”]
    volumeMounts:
    • mountPath: /dev/xyz
      name: host_xyz
      volumes:
  • name: host_xyz
    hostPath:
    path: /dev/xyz

The device /dev/xyz is exposed Virtual Function through SR-IOV.
Thanks.

4

I think you need to look into security contexts and just give it the least amount of privileges necessary. There are times where you might have to just do privileged: true. For those cases you should try to use a non-privileged uid and gid.