More clarifications

pull/3715/head
Thomas Strömberg 2019-02-18 06:46:03 -08:00 committed by GitHub
parent 1e68707893
commit 51643bba78
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 6 deletions

View File

@ -8,9 +8,7 @@ The `none` driver allows advanced minikube users to skip VM creation, allowing m
## What operating systems are supported?
The `none` driver supports releases of Debian, Ubuntu, and Fedora that are less than 2 years old
In practice, any systemd-based modern distribution is likely to work, and we will happily accept pull requests which improve compatibility with other systems.
The `none` driver supports releases of Debian, Ubuntu, and Fedora that are less than 2 years old. In practice, any systemd-based modern distribution is likely to work, and we will accept pull requests which improve compatibility with other systems.
## Can vm-driver=none be used outside of a VM?
@ -22,11 +20,19 @@ minikube was designed to run Kubernetes within a dedicated VM, and assumes that
* /usr/local/bin/kubectl
* /etc/kubernetes
## Security
It will also install `kubelet` as a systemd service, as well as start/stop container runtime services if installed.
With the `none` driver, minikube has only limited container isolation abilities, which can result in decreased host security and reliability. It is highly recommended that your host is isolated from the rest of the network using a firewall.
## Security Limitations
Additionally, minikube with the `none` driver has a very confusing permissions model, as some commands need to be run as root ("start"), and others by a regular user ("dashboard").
With the `none` driver, minikube has limited container isolation abilities. Applications running in a container may be able to access your host filesystem. Through using a container escape vulnerability such as [CVE-2019-5736](https://access.redhat.com/security/vulnerabilities/runcescape), they may also be able to execute arbitrary code on your host.
When using the `none` driver, it is highly recommended that your host is isolated from the rest of the network using a firewall.
Additionally, minikube with the `none` driver has a very confusing permissions model, as some commands need to be run as root ("start"), and others by a regular user ("dashboard"). In a future release, we intend to disallow running `minikube`, and instead call into `sudo` when necesarry to avoid permissions issues.
# Uninstall
The `none` driver now supports uninstallation via `minikube delete`. Please note that it will not fully remove /etc/kubernetes, since it does not track which files in /etc/kubernetes existed before the installation.
## Known Issues