based from https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/
Create container image:
FROM opensuse/tumbleweed:latest
RUN zypper install -y systemd systemd-sysvinit
CMD ["/sbin/init"]
Create Deployment:
Use a serviceAccount
with privileged PSP in order to use hostPath
.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: systemd
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: psp:systemd:privileged
namespace: default
roleRef:
kind: ClusterRole
name: suse:caasp:psp:privileged
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: systemd
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: systemd
namespace: default
labels:
app: systemd
spec:
replicas: 1
selector:
matchLabels:
app: systemd
template:
metadata:
labels:
app: systemd
spec:
containers:
- name: systemd
image: localhost/opensuse-systemd:latest
imagePullPolicy: IfNotPresent
stdin: true
tty: true
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 200m
memory: 200Mi
#terminationGracePeriodSeconds: 10
volumeMounts:
- mountPath: /run
name: tmpfs-run
- mountPath: /sys/fs/cgroup
name: cgroup
readOnly: true
serviceAccount: systemd
volumes:
- name: tmpfs-run
emptyDir:
medium: Memory
- name: cgroup
hostPath:
path: /sys/fs/cgroup
type: DirectoryOrCreate
Then I just did a quick try zypper in nginx curl && systemctl start nginx && curl localhost