From 3ec5209ad61431d302f499edfb3c7b20c2611c99 Mon Sep 17 00:00:00 2001
From: Archana Shinde <archana.m.shinde@intel.com>
Date: Wed, 4 Dec 2019 11:21:09 -0800
Subject: [PATCH] privileged: Update docs for privileged mode with crio

cri-o now supports running privilged containers without passing devices
from the host to the container.

Fixes #529

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
---
 how-to/privileged.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/how-to/privileged.md b/how-to/privileged.md
index 3a4733bc..ac60a7cf 100644
--- a/how-to/privileged.md
+++ b/how-to/privileged.md
@@ -44,3 +44,30 @@ See below example config:
 
  - [Kata Containers with Containerd and CRI documentation](how-to-use-k8s-with-cri-containerd-and-kata.md)
  - [Containerd CRI config documentation](https://github.com/containerd/cri/blob/master/docs/config.md)
+
+#### CRI-O
+
+Similar to containerd, cri-o also now allows configuring the privileged host devices behavior for each runtime.
+A similar option called `privileged_without_host_devices` exists for doing this. With this option set to true,
+none of the host devices are passed to a container running as privileged.
+
+See below example config:
+
+```toml
+[crio.runtime.runtimes.runc]
+  runtime_path = "/usr/local/bin/crio-runc"
+  runtime_type = "oci"
+  runtime_root = "/run/runc"
+  privileged_without_host_devices = false
+[crio.runtime.runtimes.kata]
+  runtime_path = "/usr/bin/kata-runtime"
+  runtime_type = "oci"
+  privileged_without_host_devices = true
+[crio.runtime.runtimes.kata-shim2]
+  runtime_path = "/usr/local/bin/containerd-shim-kata-v2"
+  runtime_type = "vm"
+  privileged_without_host_devices = true
+```
+
+ - [Kata Containers with CRI-O](https://github.com/kata-containers/documentation/blob/master/how-to/run-kata-with-k8s.md#cri-o)
+