From adc0462a88473bc25e74a53314913babd33b4e73 Mon Sep 17 00:00:00 2001 From: Leopold Schabel Date: Thu, 2 May 2019 11:10:57 +0000 Subject: [PATCH 1/2] docs: Fix typo in "Definition of a limitation" header This commit fixes a typo in Limitations.md Signed-off-by: Leopold Schabel --- Limitations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Limitations.md b/Limitations.md index e986923354..3fe2973f06 100644 --- a/Limitations.md +++ b/Limitations.md @@ -1,5 +1,5 @@ * [Overview](#overview) -* [Definiton of a limitation](#definiton-of-a-limitation) +* [Definition of a limitation](#definiton-of-a-limitation) * [Scope](#scope) * [Contributing](#contributing) * [Pending items](#pending-items) @@ -45,7 +45,7 @@ launches each container within its own hardware isolated VM, and each VM has its own kernel. Due to this higher degree of isolation, certain container capabilities cannot be supported or are implicitly enabled through the VM. -# Definiton of a limitation +# Definition of a limitation The [Open Container Initiative](https://www.opencontainers.org/) [Runtime Specification](https://github.com/opencontainers/runtime-spec) ("OCI spec") From 0721b6a2e997bc3885c8aa32b343caf0f3fa84b1 Mon Sep 17 00:00:00 2001 From: Leopold Schabel Date: Thu, 2 May 2019 11:12:39 +0000 Subject: [PATCH 2/2] docs: Clarify security boundaries in privileged mode See https://github.com/kata-containers/runtime/issues/1568 Fixes #453 Signed-off-by: Leopold Schabel --- Limitations.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Limitations.md b/Limitations.md index 3fe2973f06..9d94fb2ddb 100644 --- a/Limitations.md +++ b/Limitations.md @@ -221,11 +221,15 @@ See more documentation at Privileged support in Kata is essentially different from `runc` containers. Kata does support `docker run --privileged` command, but in this case full access -to the guest VM is provided instead of the host. +to the guest VM is provided in addition to some host access. + The container runs with elevated capabilities within the guest and is granted access to guest devices instead of the host devices. This is also true with using `securityContext privileged=true` with Kubernetes. +The container may also be granted full access to a subset of host devices +(https://github.com/kata-containers/runtime/issues/1568). + # Miscellaneous This section lists limitations where the possible solutions are uncertain.