| *** igordc has joined #kata-general | 02:33 | |
| *** igordc has quit IRC | 03:16 | |
| *** sameo has quit IRC | 05:10 | |
| *** sameo has joined #kata-general | 05:29 | |
| *** sgarzare has joined #kata-general | 07:05 | |
| *** sgarzare has quit IRC | 07:57 | |
| *** sgarzare has joined #kata-general | 07:59 | |
| *** gwhaley has joined #kata-general | 08:06 | |
| kata-irc-bot | <graham.whaley> @philip.schmidt hmm, so, to do that I guess you are wanting or needing the sidecar to run as 'priv' inside the VM that contains the containers, so it can look outside/inside the container namespaces etc. I'm not how/if to do that with Kata - let's ask @eric.ernst @archana.m.shinde if they know... it's an interesting question :slightly_smiling_face: | 08:46 |
|---|---|---|
| *** igordc has joined #kata-general | 12:34 | |
| kata-irc-bot | <eric.ernst> (sorry for delayed response here @philip.schmidt). If kube-runtime exec does not work, I would consider that a bug. I personally have never used the runtime directly to exec, though. If you are using "v2-shim" i'm not sure I'd expect this to work. What CRI are you using? | 14:57 |
| kata-irc-bot | <eric.ernst> ^^ @bergwolf @fupan heads up -- not sure if you've tried this or have input | 14:57 |
| kata-irc-bot | <bergwolf> asaict `kata-runtime exec` is no more secure than `kube exec` and it mostly works with docker instead of CRI case | 15:02 |
| kata-irc-bot | <philip.schmidt> yes I already tried with the following spec, but if I tried to use nsenter of see in /proc I could not see the other container namespaces: ```{ "apiVersion": "v1", "kind": "Pod", "metadata": { "annotations": { "io.kubernetes.cri.untrusted-workload": "true" }, "labels": { "app": "netmon" }, "name": "netmon" }, "spec": { "containers": [ { | 15:24 |
| kata-irc-bot | "image": "ubuntu:18.04", "name": "app" }, { "image": "ubuntu:18.04", "name": "netmon", "command": ["bash"], "stdin": true, "tty": true, "securityContext": { "privileged": true } } ] } }``` | 15:24 |
| kata-irc-bot | <philip.schmidt> | 15:25 |
| kata-irc-bot | <philip.schmidt> crictl exec does work though | 15:26 |
| *** sgarzare has quit IRC | 17:44 | |
| *** gwhaley has quit IRC | 19:29 | |
| *** igordc has quit IRC | 20:47 | |
| *** igordc has joined #kata-general | 20:48 | |
| *** sameo has quit IRC | 21:12 | |
| *** th0din has quit IRC | 22:30 | |
| *** th0din has joined #kata-general | 23:53 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!