By default Docker containers are unprivileged. Of course devices can be added individually with docker run --device /dev/abc0 but this cannot yet be done in Kubernetes.
In any event I have an arbitrary number of devices per node, which makes it easier to map /dev and to enable a cgroup rule: docker run -v /dev:/dev --device-cgroup-rule='c 123:* rmw'. How can I pass this --device-cgroup-rule to specific or all Docker containers controlled by Kubernetes? Can a RuntimeClass help? A system-level cgroup config?
If I understand you correctly you should focus on Kublet, it's support for several container runtimes and it's integration with Docker.
According to this documentation, there are plenty of options to choose from, like:
--cgroup-driver stringDriver that the kubelet uses to manipulate cgroups on the host.
--cgroup-root stringOptional root cgroup to use for pods. This is handled by the container runtime on a best effort basis. Default: '', which means use the container runtime default.
--enforce-node-allocatable stringSliceA comma separated list of levels of node allocatable enforcement to be enforced by kubelet. Acceptable options are 'pods', 'system-reserved' & 'kube-reserved'. If the latter two options are specified, '
--system-reserved-cgroup' & '--kube-reserved-cgroup' must also be set respectively. See/docs/tasks/administer-cluster/reserve-compute-resources/for more details. (default [pods])
--runtime-cgroups stringOptional absolute name of cgroups to create and run the runtime in.
Please look into them and verify if they satisfy your needs.
Please let me know if that helped.