{"guid":"50421c7a-c88f-5463-bfab-57eede41677e","title":"Privilege delegation for rootless containers, what choices do we have?","subtitle":null,"slug":"all-systems-go-2025-349-privilege-delegation-for-rootless-containers-what-choices-do-we-have-","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/SPGAXS/","description":"Going for minimal containers with restricted system calls and unprivileged users is the usual Kubernetes approach these days, and it works great for most web apps. However, the development of more complex infrastructure extensions frequently hinders application functionality.\n\nWhile looking for a solution to deploy virtiofsd in an unprivileged container for KubeVirt, we stumbled on seccomp notifiers. Seccomp notifiers are a kernel feature which monitors syscalls and get notifications to a userspace application when a syscall is executed. \n\nAlternative options involved either the use of a custom protocol using UNIX sockets or the deployment of virtiofs as a privileged component alongside the unprivileged VM.\n\nAfter our evaluation, the seccomp notifier turned out to be the simplest solution among all the choices. Unfortunately, the main constraint is the monitor's resilience after a restart, such as after a crash or an upgrade. This limitation forced us to back up to one of the less elegant approaches. But there is hope how this could be solved!\n\nThe session will explain why seccomp notifiers are a lean solution to avoid extra userspace communication and synchronization, the current limitations and possible future solutions to overcome today’s challenges.\n\nOur experience will teach audiences several methods for dividing their privileged infrastructure. Utilizing virtiofsd as an actual example and a target application for KubeVirt integration and deployment. We will discuss the difficulties of using rootless containers in this session, as well as the design patterns, technologies, and tactics we thought about and ultimately chose to maintain or reject.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Alice Frosi","German Maglione"],"tags":["349","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":94,"promoted":false,"date":"2025-10-01T12:10:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-04-02T16:45:04.153+02:00","length":1303,"duration":1303,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/349-50421c7a-c88f-5463-bfab-57eede41677e.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/349-50421c7a-c88f-5463-bfab-57eede41677e_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/349-50421c7a-c88f-5463-bfab-57eede41677e.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/349-50421c7a-c88f-5463-bfab-57eede41677e.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-349-privilege-delegation-for-rootless-containers-what-choices-do-we-have-","url":"https://api.media.ccc.de/public/events/50421c7a-c88f-5463-bfab-57eede41677e","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[],"recordings":[{"size":126,"length":1303,"mime_type":"video/webm;codecs=av01","language":"eng","filename":"asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_av1-hd.webm","state":"new","folder":"av1-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-10-01T13:53:28.136+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/av1-hd/asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_av1-hd.webm","url":"https://api.media.ccc.de/public/recordings/91883","event_url":"https://api.media.ccc.de/public/events/50421c7a-c88f-5463-bfab-57eede41677e","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":19,"length":1303,"mime_type":"audio/mpeg","language":"eng","filename":"asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-10-01T13:57:24.017+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/mp3/asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/91888","event_url":"https://api.media.ccc.de/public/events/50421c7a-c88f-5463-bfab-57eede41677e","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":14,"length":1303,"mime_type":"audio/opus","language":"eng","filename":"asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-10-01T13:56:46.210+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/opus/asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_opus.opus","url":"https://api.media.ccc.de/public/recordings/91886","event_url":"https://api.media.ccc.de/public/events/50421c7a-c88f-5463-bfab-57eede41677e","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":144,"length":1303,"mime_type":"video/webm","language":"eng","filename":"asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-10-01T14:26:14.700+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/webm-hd/asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/91898","event_url":"https://api.media.ccc.de/public/events/50421c7a-c88f-5463-bfab-57eede41677e","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":52,"length":1303,"mime_type":"video/webm","language":"eng","filename":"asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-10-01T14:12:18.173+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/webm-sd/asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/91894","event_url":"https://api.media.ccc.de/public/events/50421c7a-c88f-5463-bfab-57eede41677e","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":42,"length":1303,"mime_type":"video/mp4","language":"eng","filename":"asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-10-01T13:55:54.858+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/h264-sd/asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_sd.mp4","url":"https://api.media.ccc.de/public/recordings/91884","event_url":"https://api.media.ccc.de/public/events/50421c7a-c88f-5463-bfab-57eede41677e","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":134,"length":1303,"mime_type":"video/mp4","language":"eng","filename":"asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-10-01T13:43:32.202+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/h264-hd/asg2025-349-eng-Privilege_delegation_for_rootless_containers_what_choices_do_we_have_hd.mp4","url":"https://api.media.ccc.de/public/recordings/91881","event_url":"https://api.media.ccc.de/public/events/50421c7a-c88f-5463-bfab-57eede41677e","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"}]}