Fix issue 5763
- Discourage `--oci-worker-no-process-sandbox`, due to the leakage of
the processes (by design).
Instead, encourage setting `systempaths=unconfined` in `docker run`.
This corresponds to `securityContext.procMount: Unmasked` in Kubernetes,
however, the configuration is hard on Kubernetes, as it has to be used
in conjunction with `hostUsers: false`.
- Remove `--device /dev/fuse`, as fuse-overlayfs is no longer used typically.
- Use the new Kubernetes struct for AppArmor
- Add a hint about `kernel.apparmor_restrict_unprivileged_userns`
- Remove `$` from command snippets for ease of copypasting
- Make `job.*.yaml` more practical
- Add `*.userns.yaml`. Needs `UserNamespaceSupport` feature gate to be enabled.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too,
but the default VOLUME does not work with rootless on Google's Container-Optimized OS
as it is mounted with `nosuid,nodev`.
So the volume has to be explicitly mounted as an `emptyDir` volume.
Tested with GKE Autopilot 1.24.3-gke.200 (kernel 5.10.123+, containerd 1.6.6).
Fix issue 879
Thanks to Andrew Grigorev (ei-grad) and Ben Cressey (bcressey).
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Kubernetes added the official `securityContext.seccompProfile` support in Kubernetes 1.19.
Seccomp is still disabled by default.
The legacy `container.seccomp.security.alpha.kubernetes.io/<PODNAME>` annotation has been deprecated and will be unsupported in Kubernetes 1.25.
https://kubernetes.io/docs/tutorials/security/seccomp/
A test cluster can be created with the following minikube command:
```
minikube start --feature-gates SeccompDefault=true --extra-config kubelet.seccomp-default=true
```
Fix issue 2515
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* examples/kubernetes: newly added
* docs/rootless.md: cleaned up for better readability
* examples/README.md: split out from the main README.md
* examples/build-using-dockerfile/README.md: split out from the main README.md
* README.md: add TOC using https://github.com/thlorenz/doctoc
* README.md: add mTLS configuration (relates to #1074)
* README.md: add more adoptions
* README.md: add inline cache (fix#976)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
