k8s/StudyNotes/ Security Docker
- Docker uses Namespace on linux does isolation, process still visible on host.
- /usr/include/linux/capability.h
- can limit capability's.
- /usr/include/linux/capability.h
On Docker can add capabilities
docker run --cap-add MAC_ADMIN or --cap-drop or --privileged