I'm running Elasticsearch within Kubernetes and despite setting container limits on CPU use, Elasticsearch is able to exceed the limits and starve other containers.
For various reasons, I'm running the containers with:
privileged: true
Would this allow Elasticsearch to ignore the CPU limits?
As you can see in https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities the container in a privileged mode has no reason not to respect the limits it is given. That is, by default. If you run container in a privileged mode and grant it access to enough of the filesystem, you should be able to ie. modify cgroups and escape (set differently) the limits. This would require pretty specific, targeted operation, hence it's doubtfull any software that is not intended to manage cgroups (or exploit the system for more resources) will do that by default.