Container late-binding in unprivileged dHTC pilot systems on Kubernetes resources

The scientific and research community has benefited greatly from containerized distributed High Throughput Computing (dHTC), both by enabling elastic scaling of user compute workloads to thousands of compute nodes, and by allowing for distributed ownership of compute resources. To effectively and efficiently deal with the dynamic nature of the setup, the most successful implementations use an overlay batch scheduling infrastructure fed by a pilot provisioning system. One fundamental property of these setups is the use of late binding of containerized user workloads. From a resource provider point of view, a compute resource is thus claimed before the user container image is selected. This paper provides a mechanism to implement this late-binding of container images on Kubernetes-managed resources, without requiring any elevated privileges.