https://rancher.com/ logo
#general
Title
# general
b

busy-easter-55684

09/02/2022, 1:57 AM
Does anyone know why k3s have to run in --privileged in docker? Is there any way to avoid this alternative? Want to know some more detailed answer or point out a way to find a detailed answer, thank you.
c

creamy-pencil-82913

09/02/2022, 2:34 AM
The kubelet and containerd won't work without operating in privileged mode. It needs a bunch of capabilities and noone has bothered to figure out which ones specifically it needs because there's so many.
b

busy-easter-55684

09/02/2022, 2:51 AM
Thank you for your answer. How about rootless mode? Cause I run this docker in a special context, so I can't use privileged mode. But I saw issue that rootless k3s still need privileged mode, which really confuses me.
c

creamy-pencil-82913

09/02/2022, 4:02 AM
yeah, I’m not so sure about rootless. I would ask @best-accountant-68201; he’s the rootless expert.
b

best-accountant-68201

09/02/2022, 4:37 AM
rootless still needs
--privileged
for: • disabling seccomp to enable syscalls like
mount(2)
(equivalent of
--security-opt seccomp=unconfined
) • disabling apparmor to enable mounting, etc. (equivalent of
--security-opt apparmor=unconfined
) • disabling masks for
/proc
(equivalent of
--security-opt systemspaths=unconfined
),
/sys
• etc.
While the container is “privileged”, the processes inside there are not really privileged. They are as unprivileged as processes that are just running as a normal user on the host
b

busy-easter-55684

09/02/2022, 5:45 AM
1. Is there any chance that I can use something like --security-opt apparmor=unconfined or --cap-add SYS_ADMIN to avoid --privileged? 2. what do you mean there are not really privileged? I think the privileged container is a process run as a host root.
b

best-accountant-68201

09/02/2022, 5:48 AM
1. Theoretically yes, but the current --privileged of docker has something (can’t remember) that can’t be expressed with --security-opt 2. UID != 0
146 Views