This message was deleted.
# general
a
This message was deleted.
c
The kubelet and containerd won't work without operating in privileged mode. It needs a bunch of capabilities and noone has bothered to figure out which ones specifically it needs because there's so many.
b
Thank you for your answer. How about rootless mode? Cause I run this docker in a special context, so I can't use privileged mode. But I saw issue that rootless k3s still need privileged mode, which really confuses me.
c
yeah, I’m not so sure about rootless. I would ask @best-accountant-68201; he’s the rootless expert.
b
rootless still needs
--privileged
for: • disabling seccomp to enable syscalls like
mount(2)
(equivalent of
--security-opt seccomp=unconfined
) • disabling apparmor to enable mounting, etc. (equivalent of
--security-opt apparmor=unconfined
) • disabling masks for
/proc
(equivalent of
--security-opt systemspaths=unconfined
),
/sys
• etc.
While the container is “privileged”, the processes inside there are not really privileged. They are as unprivileged as processes that are just running as a normal user on the host
b
1. Is there any chance that I can use something like --security-opt apparmor=unconfined or --cap-add SYS_ADMIN to avoid --privileged? 2. what do you mean there are not really privileged? I think the privileged container is a process run as a host root.
b
1. Theoretically yes, but the current --privileged of docker has something (can’t remember) that can’t be expressed with --security-opt 2. UID != 0
250 Views