-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support hooks modifying exec paramters #44
Comments
nod no hooks for exec... @mrunalp @haircommander note ^ |
I wonder how we'd define the API so it'd differentiate exec vs execsync. I imagine all of that is largely unnecessary for probes, though they may want a different set of injections |
Yeah, we want containers to run as non-root, but teams often need root to debug, so this allowed us bring back the behavior of We are a less traditional kubernetes user since the vast majority of our workloads are stateful databases which have much more demanding debugging requirements from the database teams, so it's great having the containers fully locked down by default, but then letting database admins escalate via
In terms of parameters, is there any difference between the two when it comes to
One frustrating thing about our current setup of wrapping the runc command is that anything we do during |
not really if you ignore the possibility of input or tty from the user (which doesn't change the actual command, but does significantly change what is setup for and by runc). |
We currently wrap the runc binary in order to modify containers and exec commands. It'd be great to move to NRI, but NRI does not appear to support modifying
runc exec
. Modifyingrunc exec
is useful for many reasons, here are some that we currently use in production:PS1
to include information about which cluster you're indocker exec --user=root --privileged
viakubectl
by prepending directive to the executed command like:kubectl exec -it <pod> -- EXEC_PRIVILEGED=true EXEC_USER=root bash
The text was updated successfully, but these errors were encountered: