af0a494251
Kubelet can send cap add/drop ALL. Handle that in CRI-O as well. Also, this PR is re-vendoring runtime-tools to fix capabilities add to add caps to _all_ caps set **and** fix a shared memory issue (caps set were initialized with the same slice, if one modifies one slice, it's reflected on the other slices, the vendoring fixes this as well) Signed-off-by: Antonio Murdaca <runcom@redhat.com>
72 lines
1.1 KiB
JSON
72 lines
1.1 KiB
JSON
{
|
|
"metadata": {
|
|
"name": "container1",
|
|
"attempt": 1
|
|
},
|
|
"image": {
|
|
"image": "busybox:latest"
|
|
},
|
|
"command": [
|
|
"/bin/sh", "-c"
|
|
],
|
|
"args": [
|
|
"%shellcommand%"
|
|
],
|
|
"working_dir": "/",
|
|
"envs": [
|
|
{
|
|
"key": "PATH",
|
|
"value": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
},
|
|
{
|
|
"key": "TERM",
|
|
"value": "xterm"
|
|
},
|
|
{
|
|
"key": "TESTDIR",
|
|
"value": "test/dir1"
|
|
},
|
|
{
|
|
"key": "TESTFILE",
|
|
"value": "test/file1"
|
|
}
|
|
],
|
|
"labels": {
|
|
"type": "small",
|
|
"batch": "no"
|
|
},
|
|
"annotations": {
|
|
"owner": "dragon",
|
|
"daemon": "crio"
|
|
},
|
|
"privileged": true,
|
|
"readonly_rootfs": true,
|
|
"log_path": "",
|
|
"stdin": false,
|
|
"stdin_once": false,
|
|
"tty": false,
|
|
"linux": {
|
|
"resources": {
|
|
"cpu_period": 10000,
|
|
"cpu_quota": 20000,
|
|
"cpu_shares": 512,
|
|
"oom_score_adj": 30
|
|
},
|
|
"security_context": {
|
|
"capabilities": {
|
|
"add_capabilities": [
|
|
"setuid",
|
|
"setgid"
|
|
],
|
|
"drop_capabilities": [
|
|
]
|
|
},
|
|
"selinux_options": {
|
|
"user": "system_u",
|
|
"role": "system_r",
|
|
"type": "container_t",
|
|
"level": "s0:c4,c5"
|
|
}
|
|
}
|
|
}
|
|
}
|