sandbox: Use first class sysctls instead of annotations

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>

server/sandbox_run.go

@@ -398,15 +398,8 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 	}
 
 	// extract linux sysctls from annotations and pass down to oci runtime
-	safe, unsafe, err := SysctlsFromPodAnnotations(kubeAnnotations)
-	if err != nil {
-		return nil, err
-	}
-	for _, sysctl := range safe {
-		g.AddLinuxSysctl(sysctl.Name, sysctl.Value)
-	}
-	for _, sysctl := range unsafe {
-		g.AddLinuxSysctl(sysctl.Name, sysctl.Value)
+	for key, value := range req.GetConfig().GetLinux().GetSysctls() {
+		g.AddLinuxSysctl(key, value)
 	}
 
 	// Set OOM score adjust of the infra container to be very low

test/pod.bats

@@ -210,7 +210,7 @@ function teardown() {
 
 @test "pass pod sysctls to runtime" {
 	start_crio
-	run crioctl pod run --config "$TESTDATA"/sandbox_config.json
+	run crioctl pod run --config "$TESTDATA"/sandbox_config_sysctl.json
 	echo "$output"
 	[ "$status" -eq 0 ]
 	pod_id="$output"

test/testdata/sandbox_config.json

@@ -28,8 +28,6 @@
 	},
 	"annotations": {
 		"owner": "hmeng",
-		"security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=1024 65000",
-		"security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" ,
 		"security.alpha.kubernetes.io/seccomp/pod": "unconfined"
 	},
 	"linux": {

test/testdata/sandbox_config_hostnet.json

@@ -32,7 +32,6 @@
 	},
 	"annotations": {
 		"owner": "hmeng",
-		"security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" ,
 		"security.alpha.kubernetes.io/seccomp/pod": "unconfined"
 	},
 	"linux": {

test/testdata/sandbox_config_hostport.json

@@ -38,8 +38,6 @@
 	},
 	"annotations": {
 		"owner": "hmeng",
-		"security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=1024 65000",
-		"security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" ,
 		"security.alpha.kubernetes.io/seccomp/pod": "unconfined"
 	},
 	"linux": {

test/testdata/sandbox_config_selinux.json

@@ -28,8 +28,6 @@
 	},
 	"annotations": {
 		"owner": "hmeng",
-		"security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=1024 65000",
-		"security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" ,
 		"security.alpha.kubernetes.io/seccomp/pod": "unconfined"
 	},
 	"linux": {

test/testdata/sandbox_config_sysctl.json

@@ -0,0 +1,54 @@
+{
+	"metadata": {
+		"name": "podsandbox1",
+		"uid": "redhat-test-crio",
+		"namespace": "redhat.test.crio",
+		"attempt": 1
+	},
+	"hostname": "crioctl_host",
+	"log_directory": "",
+	"dns_config": {
+		"searches": [
+			"8.8.8.8"
+		]
+	},
+	"port_mappings": [],
+	"resources": {
+		"cpu": {
+			"limits": 3,
+			"requests": 2
+		},
+		"memory": {
+			"limits": 50000000,
+			"requests": 2000000
+		}
+	},
+	"labels": {
+		"group": "test"
+	},
+	"annotations": {
+		"owner": "hmeng",
+		"security.alpha.kubernetes.io/seccomp/pod": "unconfined"
+	},
+	"linux": {
+		"sysctls": {
+			"kernel.shm_rmid_forced": "1",
+			"net.ipv4.ip_local_port_range": "1024 65000",
+			"kernel.msgmax": "8192"
+		},
+		"cgroup_parent": "/Burstable/pod_123-456",
+		"security_context": {
+			"namespace_options": {
+				"host_network": false,
+				"host_pid": false,
+				"host_ipc": false
+			},
+			"selinux_options": {
+				"user": "system_u",
+				"role": "system_r",
+				"type": "svirt_lxc_net_t",
+				"level": "s0:c4,c5"
+			}
+		}
+	}
+}

test/testdata/template_sandbox_config.json

@@ -28,8 +28,6 @@
 	},
 	"annotations": {
 		"owner": "hmeng",
-		"security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=1024 65000",
-		"security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" ,
 		"security.alpha.kubernetes.io/seccomp/pod": "unconfined"
 	},
 	"linux": {