Dustin
934c07ceba
The *fuse-device-plugin* handles mapping the `/dev/fuse` device into unprivileged containers, e.g. for `buildah`. Although *fuse-device-plugin* was recommended by Red Hat in their blog post [How to use Podman inside of Kubernetes][0], it's probably not the best choice any more. It's working for now, giving me the ability to build container images in Kubernetes without running `buildah` in a privileged container, but I will probably investigate replacing it with the [generic-device-plugin][1] eventually. [0]: https://www.redhat.com/sysadmin/podman-inside-kubernetes [1]: https://github.com/squat/generic-device-plugin |
||
|---|---|---|
| .. | ||
| README.md | ||
| fuse-device-plugin.yaml | ||
README.md
Device Plugins
Kubernetes Device Plugins are processes that map device nodes into unprivileged containers. They provide an alternative to manually bind-mounting devices using pod volumes, which typically requires granting container processes more privileges than they would otherwise need.
fuse-device-plugin
The fuse-device-plugin is a simple plugin that maps the /dev/fuse device
node into a container. This device node is required in order to use FUSE
filesystems. Buildah, for example, used an FUSE implementation of
OverlayFS when building container images in an unprivileged container.
As of October 2023, Upsteam development of the fuse-device-plugin appears to
have stalled, and its "official" container image is several years old at this
point. While the project itself is simple and probably does not need much
maintenance, running a container based on an operating system that old is quite
dangerous. As such, I've created created my own container image for it
that gets rebuilt and updated automatically.