privileged: Update docs for privileged mode with crio

cri-o now supports running privilged containers without passing devices from the host to the container. Fixes kata-containers#529 Signed-off-by: Archana Shinde <[email protected]>
amshinde · Dec 4, 2019 · 3ec5209 · 3ec5209
1 parent 1fd8ac6
commit 3ec5209
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/how-to/privileged.md b/how-to/privileged.md
@@ -44,3 +44,30 @@ See below example config:
 
  - [Kata Containers with Containerd and CRI documentation](how-to-use-k8s-with-cri-containerd-and-kata.md)
  - [Containerd CRI config documentation](https://github.com/containerd/cri/blob/master/docs/config.md)
+
+#### CRI-O
+
+Similar to containerd, cri-o also now allows configuring the privileged host devices behavior for each runtime.
+A similar option called `privileged_without_host_devices` exists for doing this. With this option set to true,
+none of the host devices are passed to a container running as privileged.
+
+See below example config:
+
+```toml
+[crio.runtime.runtimes.runc]
+  runtime_path = "/usr/local/bin/crio-runc"
+  runtime_type = "oci"
+  runtime_root = "/run/runc"
+  privileged_without_host_devices = false
+[crio.runtime.runtimes.kata]
+  runtime_path = "/usr/bin/kata-runtime"
+  runtime_type = "oci"
+  privileged_without_host_devices = true
+[crio.runtime.runtimes.kata-shim2]
+  runtime_path = "/usr/local/bin/containerd-shim-kata-v2"
+  runtime_type = "vm"
+  privileged_without_host_devices = true
+```
+
+ - [Kata Containers with CRI-O](https://github.com/kata-containers/documentation/blob/master/how-to/run-kata-with-k8s.md#cri-o)
+