Add flag to overload default privileged host device behaviour

This commit adds a flag to the runtime config that allows overloading of the default privileged behaviour. When the flag is enabled on a runtime, host devices won't be appended to the runtime spec if the container is run as privileged. By default the flag is false to maintain the current behaviour of privileged. Fixes #1213 Signed-off-by: Alex Price <aprice@atlassian.com>
2019-08-07 16:22:26 +10:00
parent 95bd02d28f
commit 3353ab76d9
4 changed files with 135 additions and 52 deletions
--- a/docs/config.md
+++ b/docs/config.md
@@ -117,6 +117,12 @@ version = 2
      # * OCI: https://github.com/opencontainers/image-spec/blob/master/annotations.md
      pod_annotations = []

+      # privileged_without_host_devices allows overloading the default behaviour of passing host
+      # devices through to privileged containers. This is useful when using a runtime where it does
+      # not make sense to pass host devices to the container when privileged. Defaults to false -
+      # i.e pass host devices through to privileged containers.
+      privileged_without_host_devices = false
+
      # 'plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options' is options specific to
      # "io.containerd.runc.v1". Its corresponding options type is:
      #   https://github.com/containerd/containerd/blob/v1.2.0-rc.1/runtime/v2/runc/options/oci.pb.go#L39.