Use Kata containers for better isolation #334
Comments
|
I think we circumvent that by using Kubernetes for Janitor. This is how exactly how Gitpod is doing it. @jankeromnes Opnions on this. |
|
@sr229 All Kubernetes has is a slightly more strict seccomp profile, so it doesn't add security nor loosen the debugging restriction. What are you proposing? |
|
@ishitatsuyuki in Kubernetes, Kata Containers aren't subject to its Docker limitations, so using a Kubernetes runtime is more plausible than just using Docker all-in-all due to the networking limitations and a whole lot more documented. |
|
I don't think Kubernetes is worth its complexity in this case. Not having a networked storage is the main reason, and secondly we probably don't want a big refactoring on Janitor codebase itself because it's too much work. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kata containers are a way to run Docker container in a VM-like fashion, which allows us to grant almost any permission with much less risk of getting exploited of a kernel bug.
This has a few downsides:
The text was updated successfully, but these errors were encountered: