External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-01 01:28:11 -03:30
Code Issues Packages Projects Releases Wiki Activity

Add crio_default_capabilities variables and documentation (#11989)

Browse Source
This commit is contained in:
Jean-Vincent kassi
2025-03-04 12:09:42 +00:00
committed by GitHub
parent 0632f23a63
commit 358bacf7ea
3 changed files with 37 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docs/CRI/cri-o.md
View File

@@ -79,6 +79,26 @@ The `allowed_annotations` configures `crio.conf` accordingly.
The `crio_remap_enable` configures the `/etc/subuid` and `/etc/subgid` files to add an entry for the **containers** user.
By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.
The `crio_default_capabilities` configure the default containers capabilities for the crio.
Defaults capabilties are:
```yaml
crio_default_capabilities:
- CHOWN
- DAC_OVERRIDE
- FSETID
- FOWNER
- NET_RAW
- SETGID
- SETUID
- SETPCAP
- NET_BIND_SERVICE
- SYS_CHROOT
- KILL
```
You can add MKNOD to the list for a rancher deployment
## Optional : NRI
[Node Resource Interface](https://github.com/containerd/nri) (NRI) is disabled by default for the CRI-O. If you