Hello everyone!
I’ve tought myself Kubernetes and have been following the course to get CKA certified. At home, I run a lab on 6 bare metal nodes. It runs Talos Linux 1.8, Longhorn 1.7, Cilium 1.16. It runs very well if I may say so myself 
.
For several apps I created my own manifests for a deployment or statefulset. Talos namespaces are restricted which means that with images running as root, or requiring some other privileges, I need to set labels on the namespace, for example I could set:
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
However, for many images this is not required, so I don’t set the labels. In a statefulset I would specify something along the lines of this:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
When its a new depployment with a fresh persistent volume, I get errors on starting the pods as they cannot create certain directories. I need an init container. So I add one:
initContainers:
- name: init-container
image: busybox
command:
- sh
- -c
- |
mkdir -p /data/someapp &&
chown -R 1000:1000 /data/someapp &&
chmod -R 755 /data/someapp
securityContext:
runAsUser: 0
allowPrivilegeEscalation: true
volumeMounts:
- name: someapp-data
mountPath: /data
Obviously its not going to work as I specify runAsUser 0 with privilege escalation. I tried running as 1000:1000 with and without privilege escalation.
This is were I am stuck. I don’t understand how to make the init containers work in a restricted namespace. When I can’t use root or privilege escalation, how is the init container supposed to create the required dirs and set permissions?
What I do now is simply run it with the privileged labels, let it init and remove the labels. Once the dirs exist, the containers can run without an issue.
Can someone explain to me how this works?
Thanks!
