vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

sandbox: Check for trusted annotations

Browse source 
If we get a kubelet annotation about the sandbox trust level, we use it
to toggle our sandbox trust flag.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
This commit is contained in:
Samuel Ortiz 2017-06-08 14:03:24 +02:00
parent 0e51bbb778
commit 4462480e54
1 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
server/sandbox_run.go
View file

@ -50,9 +50,17 @@ func (s *Server) privilegedSandbox(req *pb.RunPodSandboxRequest) bool {
// trustedSandbox returns true if the sandbox will run trusted workloads. // trustedSandbox returns true if the sandbox will run trusted workloads.
func (s *Server) trustedSandbox(req *pb.RunPodSandboxRequest) bool { func (s *Server) trustedSandbox(req *pb.RunPodSandboxRequest) bool {
kubeAnnotations := req.GetConfig().GetAnnotations()
trustedAnnotation, ok := kubeAnnotations[annotations.TrustedSandbox]
if !ok {
// A sandbox is trusted by default.
return true return true
} }
return isTrue(trustedAnnotation)
}
func (s *Server) runContainer(container *oci.Container, cgroupParent string) error { func (s *Server) runContainer(container *oci.Container, cgroupParent string) error {
if err := s.runtime.CreateContainer(container, cgroupParent); err != nil { if err := s.runtime.CreateContainer(container, cgroupParent); err != nil {
return err return err