Open
Description
Seeing the following message in docker daemon log. Once this error happens, docker daemon becomes unresponsive.
time="2020-08-15T22:15:47Z" level=error msg="Error while reading from Writer: bufio.Scanner: token too long" plugin=08dbb7e7fa5b2fe88e92ccac8783d8866cc40df8b2855bbe8381132b8e1c3ec3
Environment:
- Docker DIND + OPA authz plugin deployed in kubernetes environment
apiVersion: v1
kind: Pod
metadata:
labels:
name: dind
name: dind-daemon
containers:
- command:
- sh
- -c
- if [ -d /var/run/dind/docker.sock ]; then rm -rf /var/run/dind/docker.sock;fi
&& /usr/local/bin/dockerd-entrypoint.sh dockerd --storage-driver=overlay2 -H
unix:///var/run/dind/docker.sock
image: docker:18.09.5-dind
imagePullPolicy: IfNotPresent
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- 'mkdir -p /etc/docker/policies && cp /etc/docker/opa-policy/authz.rego
/etc/docker/policies && docker -H unix:///var/run/dind/docker.sock plugin
install --grant-all-permissions openpolicyagent/opa-docker-authz-v2:0.4
opa-args="-policy-file /opa/policies/authz.rego" && echo ''{ "authorization-plugins":
["openpolicyagent/opa-docker-authz-v2:0.4"] }'' > /etc/docker/daemon.json
&& kill -HUP $(pidof dockerd)'
name: dind
resources:
requests:
cpu: "1"
memory: 4G
securityContext:
privileged: true
volumeMounts:
- mountPath: /var/lib/docker
name: varlibdocker
- mountPath: /var/run/dind
name: rundind
- mountPath: /etc/docker/opa-policy
name: opa-policy
volumes:
- emptyDir: {}
name: varlibdocker
- configMap:
defaultMode: 420
name: docker-opa-policy
name: opa-policy
- hostPath:
path: /var/run/dind/
type: ""
name: rundind
====
apiVersion: v1
data:
authz.rego: |-
package docker.authz
default allow = false
allow {
not input.Body.HostConfig.Privileged
}
kind: ConfigMap
metadata:
name: docker-opa-policyMetadata
Metadata
Assignees
Labels
No labels