I’ve setup user namespaces in the docker daemon to isolate containers from the host.
Unfortunately, users who can run docker cli are still able to start containers with --userns=host to expose the host.
I’d like to disallow this behavior.
Is removing the --userns and --privileged options from docker-ce/master/components/cli/cli/command/container/opts.go enough to accomplish what I want?
Any other suggestions to accomplish my goal of unconditionally enforcing the defined uid/gid mappings for containers?