Enable Writable cgroups for unprivileged containers

[Divya063]

What is the problem you're trying to solve

Currently, cgroupfs is only writable when containers are running in privileged mode. For unprivileged containers with cgroup v2 enabled, the cgroup interface (/sys/fs/cgroup) is mounted read-only by default, preventing containers from managing their own cgroup hierarchies. Since we have secure delegation, running containers in privileged mode to enable write access seems excessive, it would be nice if we can add support for writable cgroups in unprivileged containers.

Describe the solution you'd like

CRI-O has enabled this feature via annotation io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw. I'm wondering if we could apply the same approach to adjust permissions in a way similar to CRI-O implementation.

Additional context

No response

[AkihiroSuda]

Do you have a KEP?

[Divya063]

@AkihiroSuda I have not yet started writing a KEP for this as I wanted to ensure the direction looks good. if it does, I can start drafting one.

[AkihiroSuda]

• What's the use case?
• Is anybody already using io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw ?
• This should be probably used in conjunction with UserNS, although the delegation should be safe on cgroup v2 hosts, unless CAP_BPF is granted for device controllers
• It seems a serious design mistake to allow weakening the security via an annotation. This could be rather experimented as a runtime class option, which can be only configured by the node admin.

[rata]

I'm curious about @Divya063 use case, but I'll share mine too.

1. My use case is docker in docker, for example. If you delegate the cgroup, you can start docker inside a k8s pod. This is interesting for us.
2. Yes, I know some people are using that annotation, for secure DinD, container builds, or even kubernetes in kubernetes.
3. Oh, why is it unsafe with cgroupsv2+userns+cap_bpf?
4. It is not a design mistake. CRIO only honors annotations that are configured by an admin on the node it is running, and only pods with certain labels can use it (or something like that, I don't remember exactly now). I was surprised too at first, but it seems it is safe :)

[Divya063]

@AkihiroSuda Regarding the use case - In GitLab, we support configuring and running Git processes within cgroups. This enables repository-level isolation by setting individual CPU and memory limits for each repository, which requires writable access to cgroups for unprivileged containers. Currently, we're trying out workarounds like running a binary in an init container to adjust permissions on the pod's cgroups mount point, allowing write access to this directory during runtime. Additionally, to expose the cgroups directory, we would need to mount the hostPath, which raises security concerns.

[rata]

@Divya063 how are you creating the containers? Via the native containerd API? Via the CRI interface?

I think to expose it in both might be the best, but it would be great to understand what would be useful for your use case.

[rata]

Also, docker supports doing the cgroup delegation. I think docker autodetects some stuff (like cgroupsv2, etc.) and then just mount it rw if the right conditions are met. It would be great to check how that is detected, as we might be able to do the same here and avoid annotations.

[Divya063]

Thanks, @rata! I think for creating containers CRI interface is used. Regarding Docker support, I saw this issue: moby/moby#46763. I haven't dug deep into it yet, but I will gather more info.

Edit: Here's the workaround we're using - https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6900

[rata]

@Divya063 Okay, so we have two options for exposing this via the CRI: (a) "the right way" (also is the long way) to expose something via CRI is using the KEP process in Kubernetes (going to sig-node in k8s community to propose this and open the KEP, etc.), (b) use some annotations, but making sure not anyone can just escalate privileges.

[Divya063]

@rata I'm leaning towards the second option as It seems it would be good to have independent support, similar to what other runtimes like Podman and CRI-O have. While exposing a field would be useful—allowing runtimes to decide whether to enable writable cgroups—it's a significant change. Regardless, we need to implement the underlying logic, so I feel this could potentially be done in tandem. What do you think?

[Divya063]

@rata @AkihiroSuda Just FYI there is already an issue opened in K8s upstream - kubernetes/kubernetes#121190

[rata]

cc @dgl as he might be interested in this too