0e51bbb778
Container runtimes provide different levels of isolation, from kernel namespaces to hardware virtualization. When starting a specific container, one may want to decide which level of isolation to use depending on how much we trust the container workload. Fully verified and signed containers may not need the hardware isolation layer but e.g. CI jobs pulling packages from many untrusted sources should probably not run only on a kernel namespace isolation layer. Here we allow CRI-O users to define a container runtime for trusted containers and another one for untrusted containers, and also to define a general, default trust level. This anticipates future kubelet implementations that would be able to tag containers as trusted or untrusted. When missing a kubelet hint, containers are trusted by default. A container becomes untrusted if we get a hint in that direction from kubelet or if the default trust level is set to "untrusted" and the container is not privileged. In both cases CRI-O will try to use the untrusted container runtime. For any other cases, it will switch to the trusted one. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
75 lines
2.2 KiB
Go
75 lines
2.2 KiB
Go
package annotations
|
|
|
|
const (
|
|
// Annotations carries the received Kubelet annotations
|
|
Annotations = "io.kubernetes.cri-o.Annotations"
|
|
|
|
// ContainerID is the container ID annotation
|
|
ContainerID = "io.kubernetes.cri-o.ContainerID"
|
|
|
|
// ContainerName is the container name annotation
|
|
ContainerName = "io.kubernetes.cri-o.ContainerName"
|
|
|
|
// ContainerType is the container type (sandbox or container) annotation
|
|
ContainerType = "io.kubernetes.cri-o.ContainerType"
|
|
|
|
// Created is the container creation time annotation
|
|
Created = "io.kubernetes.cri-o.Created"
|
|
|
|
// HostName is the container host name annotation
|
|
HostName = "io.kubernetes.cri-o.HostName"
|
|
|
|
// Image is the container image ID annotation
|
|
Image = "io.kubernetes.cri-o.Image"
|
|
|
|
// KubeName is the kubernetes name annotation
|
|
KubeName = "io.kubernetes.cri-o.KubeName"
|
|
|
|
// Labels are the kubernetes labels annotation
|
|
Labels = "io.kubernetes.cri-o.Labels"
|
|
|
|
// LogPath is the container logging path annotation
|
|
LogPath = "io.kubernetes.cri-o.LogPath"
|
|
|
|
// Metadata is the container metadata annotation
|
|
Metadata = "io.kubernetes.cri-o.Metadata"
|
|
|
|
// Name is the pod name annotation
|
|
Name = "io.kubernetes.cri-o.Name"
|
|
|
|
// PrivilegedRuntime is the annotation for the privileged runtime path
|
|
PrivilegedRuntime = "io.kubernetes.cri-o.PrivilegedRuntime"
|
|
|
|
// ResolvPath is the resolver configuration path annotation
|
|
ResolvPath = "io.kubernetes.cri-o.ResolvPath"
|
|
|
|
// SandboxID is the sandbox ID annotation
|
|
SandboxID = "io.kubernetes.cri-o.SandboxID"
|
|
|
|
// SandboxName is the sandbox name annotation
|
|
SandboxName = "io.kubernetes.cri-o.SandboxName"
|
|
|
|
// ShmPath is the shared memory path annotation
|
|
ShmPath = "io.kubernetes.cri-o.ShmPath"
|
|
|
|
// TrustedSandbox is the annotation for trusted sandboxes
|
|
TrustedSandbox = "io.kubernetes.cri-o.TrustedSandbox"
|
|
|
|
// TTY is the terminal path annotation
|
|
TTY = "io.kubernetes.cri-o.TTY"
|
|
|
|
// Stdin is the stdin annotation
|
|
Stdin = "io.kubernetes.cri-o.Stdin"
|
|
|
|
// StdinOnce is the stdin_once annotation
|
|
StdinOnce = "io.kubernetes.cri-o.StdinOnce"
|
|
)
|
|
|
|
// ContainerType values
|
|
const (
|
|
// ContainerTypeSandbox represents a pod sandbox container
|
|
ContainerTypeSandbox = "sandbox"
|
|
|
|
// ContainerTypeContainer represents a container running within a pod
|
|
ContainerTypeContainer = "container"
|
|
)
|