Why does the device plugin work with hostNetwork set to true

Introduction

I am developing a containerized application that runs on an Openshift cluster and needs access to some host devices located under /dev. This can be achieved by adding privileged: true flag to container, but due to security reasons my pod shouldn’t be privileged.

A workaround for that is using device-plugin that can mount desired devices and share them with pod using gRPC.
We end up using squat/generic-device-plugin which does exactly what we need.

Sample DaemonSet for starting the generic-device-plugin as DaemonSet.

Official Kubernetes documentation states that device-plugins should be deployed as privileged, as
the canonical directory /var/lib/kubelet/device-plugins/ requires privileged access.

Running generic-device as non-privileged

We discovered that device-plugin can work properly without privileged (privileged: false) when we instead set hostNetwork: true.

Running generic-device-plugin without privileged or hostNetwork will result in a fail with error:
Error while dialing: dial unix /var/lib/kubelet/device-plugins/kubelet.sock: connect: permission denied.

Setup

Tests were performed on an Openshift v4.13 cluster installed on bare metal via assisted installer.
It runs multus CNI.

Question

Why does having direct access to host nodes network interfaces (hostNetwork: true) allows access to sockets from /var/lib/kubelet/device-plugins?

Leave a Comment