sr229
commented
5 years ago I think we circumvent that by using Kubernetes for Janitor. This is how exactly how Gitpod is doing it.
@jankeromnes Opnions on this.
Open ishitatsuyuki opened 6 years ago
sr229
commented
5 years ago I think we circumvent that by using Kubernetes for Janitor. This is how exactly how Gitpod is doing it.
@jankeromnes Opnions on this.
ishitatsuyuki
commented
5 years ago @sr229 All Kubernetes has is a slightly more strict seccomp profile, so it doesn't add security nor loosen the debugging restriction. What are you proposing?
sr229
commented
5 years ago @ishitatsuyuki in Kubernetes, Kata Containers aren't subject to its Docker limitations, so using a Kubernetes runtime is more plausible than just using Docker all-in-all due to the networking limitations and a whole lot more documented.
ishitatsuyuki
commented
5 years ago I don't think Kubernetes is worth its complexity in this case. Not having a networked storage is the main reason, and secondly we probably don't want a big refactoring on Janitor codebase itself because it's too much work.
Kata containers are a way to run Docker container in a VM-like fashion, which allows us to grant almost any permission with much less risk of getting exploited of a kernel bug.
This has a few downsides: