Running KubeVirt Workloads with No Additional Privileges

Explore the advancements in running KubeVirt workloads without additional privileges in this informative conference talk by Ľuboslav Pivarč from Red Hat. Dive into the journey of KubeVirt's evolution towards minimizing required capabilities for running virtual machines alongside containers on Kubernetes. Learn about the implementation of rootless user execution, seamless SELinux integration, and the challenges faced in achieving unprivileged networking. Discover the importance of considering security best practices when developing virtualization features, including the use of Linux Security Modules like SELinux and AppArmor. Gain insights into addressing issues related to storage, devices, and file capabilities, and understand the significance of Cell Linux in this context. Acquire valuable knowledge on enhancing security and efficiency in containerized and virtualized environments.

Introduction
Policy Spectrum
What is restricted
Unprivileged networking
How to address the problem
Running the workloads as normal
Security policies
Storage
Devices
Solution
Problem
File capabilities
File capabilities drawbacks
Cell Linux
Whats left
Outro