The document discusses deploying rootless BuildKit on Kubernetes, addressing common myths related to security privileges, seccomp, and overlay filesystem support. It emphasizes the viability of running build environments without requiring privileged contexts and mentions future work, such as gVisor integration. Additionally, it highlights the availability of a Knative template for users preferring a daemon-free experience.

1. Deploying
Rootless BuildKit
on Kubernetes

2. About me
●
●
●

3. What is Rootless?
●
●

4. What is Rootless?
●

5. What is Rootless?
https://tinyurl.com/dockercon2019-rootless

6. In-cluster build
●
●

7. In-cluster build
●

8. In-cluster build
● securityContext.privileged
docker run --privileged
docker:dind
● hostPath
/var/run/docker.sock buildkitd.sock

9. myth 1: requires securityContext.privileged
●
●
--oci-worker-no-process-sandbox
○ /proc

10. myth 1: requires securityContext.privileged
RUN gcc
Process sandbox

11. myth 1: requires securityContext.privileged
--oci-worker-no-process-sandbox
RUN gcc
worker container can kill(2) the daemon
Host is still protected
Process sandbox

12. myth 1: requires securityContext.privileged
●
securityContext.procMount
Unmasked
○

13. myth 2: seccomp and AppArmor
need to be disabled

14. myth 2: seccomp and AppArmor
need to be disabled
●
●
○

15. myth 2: seccomp and AppArmor
need to be disabled
RUN gcc
seccomp

16. myth 2: seccomp and AppArmor
need to be disabled
RUN gcc
worker containers are still protected with seccompseccomp

17. Future work: gVisor integration?
●
●
●

18. Future work: gVisor integration?
● EINVAL
●
○
○

19. Comparison: Kaniko
●
●
○
●

20. myth 3: No OverlayFS support
●
○
●

21. myth 3: No OverlayFS support
●
/home/user/.local/share/buildkit
○ mkfs.xfs -m reflink=1
○

22. kubectl run & buildctl
docker buildx

23. Knative template is also available
●
●

24. Knative template is also available

25. If you don’t like daemon..
●
●
○

26. Questions?