Use init container to set necessary node level sysctl (#41)

mattermost · Sep 6, 2023 · f72dfec · f72dfec
1 parent 4eaf15c
commit f72dfec
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/service/kubernetes/service.go b/service/kubernetes/service.go
@@ -30,6 +30,7 @@ const (
 	k8sRecordingJobPrefix = "calls-recorder-job-"
 	k8sJobStopTimeout     = 5 * time.Minute
 	k8sRequestTimeout     = 10 * time.Second
+	k8sInitContainerImage = "busybox:1.36"
 )
 
 type JobServiceConfig struct {
@@ -187,6 +188,23 @@ func (s *JobService) CreateJob(cfg job.Config, onStopCb job.StopCb) (job.Job, er
 					},
 				},
 				Spec: corev1.PodSpec{
+					InitContainers: []corev1.Container{
+						{
+							Name:            jobName + "-init",
+							Image:           k8sInitContainerImage,
+							ImagePullPolicy: corev1.PullIfNotPresent,
+							Command: []string{
+								// Enabling the `kernel.unprivileged_userns_clone` sysctl at node level is necessary in order to run Chromium sandbox.
+								// See https://developer.chrome.com/docs/puppeteer/troubleshooting/#recommended-enable-user-namespace-cloning for details.
+								"sysctl",
+								"-w",
+								"kernel.unprivileged_userns_clone=1",
+							},
+							SecurityContext: &corev1.SecurityContext{
+								Privileged: newBool(true),
+							},
+						},
+					},
 					Containers: []corev1.Container{
 						{
 							Name:            jobName,

diff --git a/service/kubernetes/utils.go b/service/kubernetes/utils.go
@@ -37,6 +37,12 @@ func newInt64(val int64) *int64 {
 	return p
 }
 
+func newBool(val bool) *bool {
+	p := new(bool)
+	*p = val
+	return p
+}
+
 func getEnvFromConfig(cfg recorder.RecorderConfig) []corev1.EnvVar {
 	if cfg == (recorder.RecorderConfig{}) {
 		return nil