Privileged Containers
Normally, when containers are started, they only have restricted access to the host system and kernel capabilities. This is a security feature that helps to isolate containers from the host.
When started as privileged, containers have access which are almost equivalent to the host system.
DINDβ
DIND or "Docker in Docker" is a common use case for privileged containers. This is where a Docker container runs a Docker daemon inside it, allowing it to build and run other Docker containers.
Such DIND containers will have access to kernel capabilities such as creating network interfaces, mounting filesystems, and managing control groups, which are necessary for running a docker container.
The host docker daemon can't see the containers running inside the DIND container. This is because the DIND container has its own Docker daemon, and the host docker daemon doesn't have any metadata about these containers.
When DIND creates containers, it creates containers as siblings to itself in the host system, and not as nested containers inside itself. This is because Linux namespaces don't support nesting.