| kata-irc-bot | <dgibson> In general the privileged flag is a bad idea for Kata containers | 01:19 |
|---|---|---|
| kata-irc-bot | <dgibson> it's not really clear what the semantics should be | 01:19 |
| kata-irc-bot | <dgibson> to the extent that it's defined now, it's in terms of *host* privileges, which doesn't really make sense for a Kata container | 01:20 |
| kata-irc-bot | <dgibson> in particular passing through all the devices is extremely complex - maybe impossible | 01:20 |
| kata-irc-bot | <dgibson> since Kata needs to handle each type of device differently | 01:20 |
| kata-irc-bot | <dgibson> privileged has been abused in some cases to describe privileges w.r.t. the guest | 01:21 |
| kata-irc-bot | <dgibson> but it's not really clear what that should mean either | 01:21 |
| kata-irc-bot | <eric.ernst> Yep. That was part of the reason the flag was added in CRI to not pass host devices in case of priv. In general….:. Don't use privileged. | 03:25 |
| kata-irc-bot | <dgibson> From the k8s side, privileged containers are often used for managing things on the host side, which is fundamentally not possible with kata containers | 06:01 |
| *** fidencio is now known as fidencio|off | 14:20 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!