device-plugins: Add fuse-device-plugin DaemonSet

The *fuse-device-plugin* handles mapping the `/dev/fuse` device into unprivileged containers, e.g. for `buildah`. Although *fuse-device-plugin* was recommended by Red Hat in their blog post [How to use Podman inside of Kubernetes][0], it's probably not the best choice any more. It's working for now, giving me the ability to build container images in Kubernetes without running `buildah` in a privileged container, but I will probably investigate replacing it with the [generic-device-plugin][1] eventually. [0]: https://www.redhat.com/sysadmin/podman-inside-kubernetes [1]: https://github.com/squat/generic-device-plugin
2023-10-08 11:59:16 -05:00
parent f7a8f391ea
commit 934c07ceba
2 changed files with 58 additions and 0 deletions
--- a/device-plugins/fuse-device-plugin.yaml
+++ b/device-plugins/fuse-device-plugin.yaml
@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: fuse-device-plugin
+ namespace: kube-system
+spec:
+ selector:
+   matchLabels:
+     name: fuse-device-plugin
+ template:
+   metadata:
+     labels:
+       name: fuse-device-plugin
+   spec:
+     containers:
+     - image: git.pyrocufflink.net/containerimages/fuse-device-plugin
+       name: fuse-device-plugin
+       securityContext:
+         allowPrivilegeEscalation: false
+         capabilities:
+           drop:
+           - ALL
+       volumeMounts:
+       - name: device-plugin
+         mountPath: /var/lib/kubelet/device-plugins
+     hostNetwork: true
+     volumes:
+     - name: device-plugin
+       hostPath:
+         path: /var/lib/kubelet/device-plugins