From 7a2b04758bfb52c17e1780dc432cff586b714839 Mon Sep 17 00:00:00 2001 From: Mike Brown Date: Mon, 7 Jun 2021 17:57:18 -0500 Subject: [PATCH] adds explanation for seccomp unset/unconfined default vs runtime default Signed-off-by: Mike Brown --- docs/cri/config.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/cri/config.md b/docs/cri/config.md index 102c57d00..4eae141cc 100644 --- a/docs/cri/config.md +++ b/docs/cri/config.md @@ -97,8 +97,14 @@ version = 2 # when using containerd with Kubernetes <=1.11. disable_proc_mount = false - # unsetSeccompProfile is the profile containerd/cri will use if the provided seccomp profile is - # unset (`""`) for a container (default is `unconfined`) + # unset_seccomp_profile is the seccomp profile containerd/cri will use if the seccomp + # profile requested over CRI is unset (or nil) for a pod/container (otherwise if this field is not set the + # default unset profile will map to `unconfined`) + # Note: The default unset seccomp profile should not be confused with the seccomp profile + # used in CRI when the runtime default seccomp profile is requested. In the later case, the + # default is set by the following code (https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go). + # To summarize, there are two different seccomp defaults, the unset default used when the CRI request is + # set to nil or `unconfined`, and the default used when the runtime default seccomp profile is requested. unset_seccomp_profile = "" # 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd