💾 Archived View for gemini.bortzmeyer.org › fosdem › event-11054.gmi captured on 2021-12-17 at 13:26:06. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Miguel Barroso
Type devroom
Starts on day 1 (2021-02-06) at 10:45 (Brussels time, UTC+1) in room Virtualization (duration 00:45)
Matrix room #virtualization:fosdem.org
KubeVirt's architecture is composed of two main components: virt-handler, a trusted DaemonSet, running in each node, which operates as the virtualization agent,
and virt-launcher, an untrusted Kubernetes pod encapsulating a single libvirt + qemu process.
To reduce the attack surface of the overall solution, the untrusted virt-launcher component should run with as little linux capabilities as possible.
The goal of this talk is to explain the journey to get there, and the steps taken to drop CAP NET ADMIN, and CAP NET RAW from
the untrusted component.