Merge pull request #253 from grahamwhaley/20180925_selinux_limitation

Limitations: add selinux support limitation
kata-containers · Oct 4, 2018 · 07af37e · 07af37e
2 parents ec9f9d4 + 38a06ca
commit 07af37e
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/Limitations.md b/Limitations.md
@@ -14,6 +14,8 @@
     * [Resource management](#resource-management)
         * [docker run and shared memory](#docker-run-and-shared-memory)
         * [docker run and sysctl](#docker-run-and-sysctl)
+    * [Docker daemon features](#docker-daemon-features)
+        * [selinux support](#selinux-support)
 * [Architectural limitations](#architectural-limitations)
     * [Networking limitations](#networking-limitations)
         * [Support for joining an existing VM network](#support-for-joining-an-existing-vm-network)
@@ -177,6 +179,23 @@ allows configuring the sysctl settings that support namespacing. From a security
 
 See issue https://github.com/kata-containers/runtime/issues/185 for more information.
 
+## Docker daemon features
+
+Some features enabled or implemented via the
+[dockerd daemon](https://docs.docker.com/config/daemon/) configuration are not yet
+implemented.
+
+### selinux support
+
+The `dockerd` configuration option `"selinux-enabled": true` is not presently implemented
+in Kata Containers. Enabling this option causes an OCI runtime error.
+
+See issue https://github.com/kata-containers/runtime/issues/784 for more information.
+
+The consequence of this is that the [Docker --security-opt is only partially supported](#docker---security-opt-option-partially-supported).
+
+Kubernetes [selinux labels](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#assign-selinux-labels-to-a-container) will also not be applied.
+
 # Architectural limitations
 
 This section lists items that might not be fixed due to fundamental