> > > > If they are not, you'll need a privileged container to work as the cifs > client. It would be managed my a DaemonSet and probably require a custom > SCC to grant it the necessary rights, but it is doable to have a container > that loads kernel modules into the host and etc. > >> >> So we already have a mature way to inject a sidecar into pods that need keytab access. We detect an annotation on an admission controller webhook and inject a privileged pod that creates a keyring from the keystore and shares it with the primary pod via shared memory. I think ideally what i'd like to do is create a similar sidecar that gets the keytab from either a secret or likely a secret manage like vault, run the mount inside of the container then share the mount across to the primary pod. We alraedy have a way of generating the keyring and custom sccs for each user. i figure thats the hardest part would be sharing the mount from the sidecar to the primary pod. Is that possible?
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
