docs: Clarify security boundaries in privileged mode

See kata-containers/runtime#1568 Fixes kata-containers#453 Signed-off-by: Leopold Schabel <[email protected]>
leoluk · May 2, 2019 · c69a806 · c69a806
1 parent 7364e08
commit c69a806
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/Limitations.md b/Limitations.md
@@ -221,11 +221,15 @@ See more documentation at
 
 Privileged support in Kata is essentially different from `runc` containers.
 Kata does support `docker run --privileged` command, but in this case full access
-to the guest VM is provided instead of the host.
+to the guest VM is provided in addition to some host access.
+
 The container runs with elevated capabilities within the guest and is granted 
 access to guest devices instead of the host devices.
 This is also true with using `securityContext privileged=true` with Kubernetes.
 
+The container may also be granted full access to a subset of host devices
+(https://github.com/kata-containers/runtime/issues/1568).
+
 # Miscellaneous
 
 This section lists limitations where the possible solutions are uncertain.