|
|
|
|
|
|
by akdev1l
383 days ago
|
|
|
One can definitely build a container runtime that uses virtualization to protect the host For example there is Kata containers https://katacontainers.io/ This can be used with regular `podman` by just changing the container runtime so there’s no even need for any extra tooling In theory you could shove the container runtime into something like k8s |
|
|
True, by "container" I really meant "shared-kernel container".
> In theory you could shove the container runtime into something like k8s
Yeah this is actually supported by k8s.
Whether that means it's actually reasonable to run completely untrusted workloads on your own cluster is another question. But it definitely seems like a really good defense-in-depth feature.