containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12301 from umohnani8/table 

Add note about volume with unprivileged container
This commit is contained in:
OpenShift Merge Robot 2021-11-22 21:52:31 +01:00 committed by GitHub
parent ed83ef2517 a8b3c67b97
commit 0b7c132d9f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/source/markdown/podman-generate-kube.1.md
View File

@ -19,6 +19,12 @@ Potential name conflicts between volumes are avoided by using a standard naming
Note that if an init container is created with type `once` and the pod has been started, the init container will not show up in the generated kube YAML as `once` type init containers are deleted after they are run. If the pod has only been created and not started, it will be in the generated kube YAML. Note that if an init container is created with type `once` and the pod has been started, the init container will not show up in the generated kube YAML as `once` type init containers are deleted after they are run. If the pod has only been created and not started, it will be in the generated kube YAML.
Init containers created with type `always` will always be generated in the kube YAML as they are never deleted, even after running to completion. Init containers created with type `always` will always be generated in the kube YAML as they are never deleted, even after running to completion.
*Note*: When using volumes and generating a Kubernetes YAML for an unprivileged and rootless podman container on an **SELinux enabled system**, one of the following options must be completed:
* Add the "privileged: true" option to the pod spec
* Add `type: spc_t` under the `securityContext` `seLinuxOptions` in the pod spec
* Relabel the volume via the CLI command `chcon -t container_file_t context -R <directory>`
Once completed, the correct permissions will be in place to access the volume when the pod/container is created in a Kubernetes cluster.
Note that the generated Kubernetes YAML file can be used to re-run the deployment via podman-play-kube(1). Note that the generated Kubernetes YAML file can be used to re-run the deployment via podman-play-kube(1).
## OPTIONS ## OPTIONS

8
pkg/domain/infra/abi/generate.go
View File

@ -124,6 +124,14 @@ func (ic *ContainerEngine) GenerateKube(ctx context.Context, nameOrIDs []string,
if err != nil { if err != nil {
return nil, err return nil, err
} }
if len(po.Spec.Volumes) != 0 {
warning := `
# NOTE: If you generated this yaml from an unprivileged and rootless podman container on an SELinux
# enabled system, check the podman generate kube man page for steps to follow to ensure that your pod/container
# has the right permissions to access the volumes added.
`
content = append(content, []byte(warning))
}
b, err := generateKubeYAML(libpod.ConvertV1PodToYAMLPod(po)) b, err := generateKubeYAML(libpod.ConvertV1PodToYAMLPod(po))
if err != nil { if err != nil {
return nil, err return nil, err