mirror of
https://github.com/moby/buildkit.git
synced 2025-09-21 00:42:05 +03:00
3a91b50be1
Fix issue 5763 - Discourage `--oci-worker-no-process-sandbox`, due to the leakage of the processes (by design). Instead, encourage setting `systempaths=unconfined` in `docker run`. This corresponds to `securityContext.procMount: Unmasked` in Kubernetes, however, the configuration is hard on Kubernetes, as it has to be used in conjunction with `hostUsers: false`. - Remove `--device /dev/fuse`, as fuse-overlayfs is no longer used typically. - Use the new Kubernetes struct for AppArmor - Add a hint about `kernel.apparmor_restrict_unprivileged_userns` - Remove `$` from command snippets for ease of copypasting - Make `job.*.yaml` more practical - Add `*.userns.yaml`. Needs `UserNamespaceSupport` feature gate to be enabled. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
93 lines
2.5 KiB
YAML
93 lines
2.5 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: buildkitd
|
|
name: buildkitd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: buildkitd
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: buildkitd
|
|
# see buildkit/docs/rootless.md for caveats of rootless mode
|
|
spec:
|
|
containers:
|
|
- name: buildkitd
|
|
image: moby/buildkit:master-rootless
|
|
args:
|
|
- --addr
|
|
- unix:///run/user/1000/buildkit/buildkitd.sock
|
|
- --addr
|
|
- tcp://0.0.0.0:1234
|
|
- --tlscacert
|
|
- /certs/ca.pem
|
|
- --tlscert
|
|
- /certs/cert.pem
|
|
- --tlskey
|
|
- /certs/key.pem
|
|
- --oci-worker-no-process-sandbox
|
|
# the probe below will only work after Release v0.6.3
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- buildctl
|
|
- debug
|
|
- workers
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 30
|
|
# the probe below will only work after Release v0.6.3
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- buildctl
|
|
- debug
|
|
- workers
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 30
|
|
securityContext:
|
|
# Needs Kubernetes >= 1.19
|
|
seccompProfile:
|
|
type: Unconfined
|
|
# Needs Kubernetes >= 1.30
|
|
appArmorProfile:
|
|
type: Unconfined
|
|
# To change UID/GID, you need to rebuild the image
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
ports:
|
|
- containerPort: 1234
|
|
volumeMounts:
|
|
- name: certs
|
|
readOnly: true
|
|
mountPath: /certs
|
|
# Dockerfile has `VOLUME /home/user/.local/share/buildkit` by default too,
|
|
# but the default VOLUME does not work with rootless on Google's Container-Optimized OS
|
|
# as it is mounted with `nosuid,nodev`.
|
|
# https://github.com/moby/buildkit/issues/879#issuecomment-1240347038
|
|
- mountPath: /home/user/.local/share/buildkit
|
|
name: buildkitd
|
|
volumes:
|
|
# buildkit-daemon-certs must contain ca.pem, cert.pem, and key.pem
|
|
- name: certs
|
|
secret:
|
|
secretName: buildkit-daemon-certs
|
|
- name: buildkitd
|
|
emptyDir: {}
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app: buildkitd
|
|
name: buildkitd
|
|
spec:
|
|
ports:
|
|
- port: 1234
|
|
protocol: TCP
|
|
selector:
|
|
app: buildkitd
|