Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privileged flag for EKS Fargate launch profile #236

Open
OwenDelahoy opened this issue Mar 30, 2021 · 1 comment
Open

Privileged flag for EKS Fargate launch profile #236

OwenDelahoy opened this issue Mar 30, 2021 · 1 comment

Comments

@OwenDelahoy
Copy link

Concourse workers can not launch from eks in fargate due to privileged: true

concourse-chart/templates/worker-statefulset.yaml

Line 64 in 8fe5b30

privileged: true

The following error is returned from fargate when trying to launch the pod:
Warning FailedScheduling <unknown> fargate-scheduler Pod not supported on Fargate: invalid SecurityContext fields: Privileged

Does this always need to run with privileged: true?
Or just by privileged tasks?
https://concourse-ci.org/jobs.html#schema.step.task-step.privileged

There is a another discussion regarding this flag here:
#60 (comment)
@taylorsilva
Copy link
Member

The workers always need privileged: true because both the guardian and containerd runtime need to be root in order to create containers, even non-privileged ones. Currently there is no way around this.

In the future we're planning to create a k8s runtime which would not require privileged workers in your k8s clusters. concourse/rfcs#81

Another possibility is running containerd in rootless mode. We haven't experimented with this though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@OwenDelahoy @taylorsilva