From 4462480e54cf1666be7fae91937fcaa3757dca66 Mon Sep 17 00:00:00 2001 From: Samuel Ortiz Date: Thu, 8 Jun 2017 14:03:24 +0200 Subject: [PATCH] sandbox: Check for trusted annotations If we get a kubelet annotation about the sandbox trust level, we use it to toggle our sandbox trust flag. Signed-off-by: Samuel Ortiz --- server/sandbox_run.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 66cf155b..5b50670e 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -50,7 +50,15 @@ func (s *Server) privilegedSandbox(req *pb.RunPodSandboxRequest) bool { // trustedSandbox returns true if the sandbox will run trusted workloads. func (s *Server) trustedSandbox(req *pb.RunPodSandboxRequest) bool { - return true + kubeAnnotations := req.GetConfig().GetAnnotations() + + trustedAnnotation, ok := kubeAnnotations[annotations.TrustedSandbox] + if !ok { + // A sandbox is trusted by default. + return true + } + + return isTrue(trustedAnnotation) } func (s *Server) runContainer(container *oci.Container, cgroupParent string) error {