Is it possible to mount a directory from the root filesystem without using a privileged container?

mason · June 11, 2024, 10:35pm

Cluster information:

Kubernetes version: 1.29.5+k3s1
Cloud being used: bare-metal
Installation method: k3s install script
Host OS: Ubuntu 20.04.6 LTS
CNI and version: flannel 1.4.0-flannel1+v0.24.2
CRI and version: containerd 1.7.15-k3s1

Question

I have a pod that needs to read data from /dev/i2c-7. Currently this only works by setting:

securityContext:
    privileged: true

Which seems to give the container full access to the host’s root filesystem.

volumes and volumeMounts don’t seem to work, I have to provide access to the whole host system just to access this single device. Is there a way to improve security a bit and mount only that single directory? I am struggling to find any information about this sort of use case.

fox-md · June 15, 2024, 6:16pm

Hi,

I believe this Volumes | Kubernetes might be what you are looking for.

mason · June 17, 2024, 6:29pm

As mentioned, volumes and volumeMounts of /dev/i2c-* devices don’t work.

However, I have found a solution which is to use this plugin. I set up a device for each i2c-* device and now my pods can connect to /dev devices easily.

Topic		Replies	Views
`fsUser` and `runAsUser` enhancement proposal: accessing `hostMount` from containers that are not running as root General Discussions security	0	1394	May 5, 2022
Mount Hostpath volume as non root user General Discussions	2	5476	October 5, 2020
Method for excluding file or directory in volume mount? General Discussions	12	7541	December 4, 2019
Security context `fsUser` to not loose write access on mounted filesystem General Discussions development , minikube , security	1	3753	July 21, 2021
Writable hostPath volume as non-root General Discussions	0	2177	January 13, 2021

Is it possible to mount a directory from the root filesystem without using a privileged container?

Cluster information:

Question

Related Topics