Cannot run OPA image in user namespace on GKE

[savitha-qs]

Short description

opa:1.14.1-envoy image fails to start with hostUsers: false (Kubernetes user namespaces) due to missing /dev/console

Steps To Reproduce

• Deploy this pod

apiVersion: v1
kind: Pod
metadata:
  name: opa-userns-test
spec:
  hostUsers: false
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    fsGroup: 1000
  containers:
  - name: opa
    image: openpolicyagent/opa:1.14.1-envoy
    args:
    - run
    - --server
    - --diagnostic-addr=0.0.0.0:8282
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      runAsNonRoot: true

• It gets CreateContainerError
• Set hostUsers: true (default) and re-deploy - works

Expected behavior

The above pod spec works in user namespace, i.e. with hostUsers: false

Additional context

I built a custom OPA image with the following Dockerfile. This image works with hostUsers: false.

FROM openpolicyagent/opa:1.14.1-envoy AS opa

FROM busybox AS setup
COPY --from=opa / /opa-root/
RUN mkdir -p /opa-root/dev && touch /opa-root/dev/console

FROM openpolicyagent/opa:1.14.1-envoy

COPY --from=setup /opa-root/ /

[savitha-qs]

I wasn't sure if it's an OPA bug or a containerd bug, so I also filed one against containerd - containerd/containerd#13129.

[BB-24]

Hi, I would like to work on this issue.

[srenatus]

I'd lean towards this being a bug in containerd. While it's OK to add a workaround for this, I'd really like to hear from containerd/containerd#13129 first.