The easy way to do this is to enable privileged mode and mount the docker socket into the container.
I am not going to do this so that we can keep the container unprivileged.
The VS Code extension that enables the docker workflow: https://github.com/microsoft/vscode-docker
Maybe running a dind container as a side car?
spec:
template:
metadata:
labels:
identifier: ''
spec:
restartPolicy: Never
containers:
- name: code-server
[...]
env:
- name: DOCKER_HOST
value: tcp://localhost:2375
- name: dind-daemon
image: docker:stable-dind
env:
- name: DOCKER_TLS_CERTDIR
value: ""
resources:
requests:
cpu: 20m
memory: 512Mi
securityContext:
privileged: true
volumeMounts:
- name: docker-graph-store
mountPath: /var/lib/docker
volumes:
- name: docker-graph-store
emptyDir: {}The big complication here is that if the docker sidecar spins up a new container, Kubelet will see it and try to murder it.... and if the pod gets re-scheduled, it could forget about the running container and we will end up with lots of other crap clogging up the node.