device_ownership_from_security_context = true Is this supported ?

[socceranoo]

Expected Behavior

CRIO./containerd implements device_ownership_from_security_context = true
where the device mounts follows the security context declared in the POD spec

Actual Behavior

Cri-dockerd / docker doesnt honor the pwermissions of devices to that of the user

Steps to Reproduce the Problem

Specifications

• Version: 0.3.0
• Platform: RockyLinux
• Subsystem: docker-26

[afbjorklund]

It seems like this kubernetes 1.22 feature was never ported over to the docker runtime:

• allow non-root user containers to use devices kubernetes/kubernetes#92211 (comment)

As mentioned in the release blog (that only talks about cri-o and containerd, not docker):

• https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/

[afbjorklund]

As far as I can tell, it is missing from the docker API parameters:

// DeviceMapping represents the device mapping between the host and the container.
type DeviceMapping struct {
        PathOnHost        string
        PathInContainer   string
        CgroupPermissions string
}

So there doesn't seem to be a way to change the Linux.Device