sandbox: Check for trusted annotations

If we get a kubelet annotation about the sandbox trust level, we use it
to toggle our sandbox trust flag.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
This commit is contained in:
Samuel Ortiz 2017-06-08 14:03:24 +02:00
parent 0e51bbb778
commit 4462480e54

View file

@ -50,7 +50,15 @@ func (s *Server) privilegedSandbox(req *pb.RunPodSandboxRequest) bool {
// trustedSandbox returns true if the sandbox will run trusted workloads.
func (s *Server) trustedSandbox(req *pb.RunPodSandboxRequest) bool {
return true
kubeAnnotations := req.GetConfig().GetAnnotations()
trustedAnnotation, ok := kubeAnnotations[annotations.TrustedSandbox]
if !ok {
// A sandbox is trusted by default.
return true
}
return isTrue(trustedAnnotation)
}
func (s *Server) runContainer(container *oci.Container, cgroupParent string) error {