Does anyone know why k3s have to run in --privileged in docker? Is there any way to avoid this alternative? Want to know some more detailed answer or point out a way to find a detailed answer, thank you.

The kubelet and containerd won't work without operating in privileged mode. It needs a bunch of capabilities and noone has bothered to figure out which ones specifically it needs because there's so many.

Thank you for your answer. How about rootless mode? Cause I run this docker in a special context, so I can't use privileged mode. But I saw issue that rootless k3s still need privileged mode, which really confuses me.

yeah, I’m not so sure about rootless. I would ask @best-accountant-68201; he’s the rootless expert.

rootless still needs

--privileged

for: • disabling seccomp to enable syscalls like

mount(2)

(equivalent of

--security-opt seccomp=unconfined

) • disabling apparmor to enable mounting, etc. (equivalent of

--security-opt apparmor=unconfined

) • disabling masks for

/proc

(equivalent of

--security-opt systemspaths=unconfined

),

/sys

• etc.

1. Is there any chance that I can use something like --security-opt apparmor=unconfined or --cap-add SYS_ADMIN to avoid --privileged? 2. what do you mean there are not really privileged? I think the privileged container is a process run as a host root.

1. Theoretically yes, but the current --privileged of docker has something (can’t remember) that can’t be expressed with --security-opt 2. UID != 0