Andrii Nakryiko <andrii.nakryiko@xxxxxxxxx> writes: >> applications meets the needs of these PODs that need to do >> privileged/bpf things without any tokens. Ultimately you are trusting >> these apps in the same way as if you were granting a token. > > Yes, absolutely. As I mentioned very explicitly, it's the question of > trusting application. Service vs token is implementation details, but > the one that has huge implications in how applications are built, > tested, versioned, deployed, etc. So one thing that I don't really get is why such a "trusted application" needs to be run in a user namespace in the first place? If it's trusted, why not simply run it as a privileged container (without the user namespace) and grant it the right system-level capabilities, instead of going to all this trouble just to punch a hole in the user namespace isolation? -Toke
