github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

cri: Verify userns container config is consisten with sandbox

Browse Source 
The sandbox and container both have the userns config. Lets make sure
they are the same, therefore consistent.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This commit is contained in:
Rodrigo Campos
2022-12-30 14:19:50 -03:00
parent a44b356274
commit 4eed20fc31
3 changed files with 131 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/cri/server/container_create_linux.go
View File

@@ -316,6 +316,12 @@ func (c *criService) containerSpec(
return nil, fmt.Errorf("user namespace configuration: %w", err)
}
// Check sandbox userns config is consistent with container config.
sandboxUsernsOpts := sandboxConfig.GetLinux().GetSecurityContext().GetNamespaceOptions().GetUsernsOptions()
if !sameUsernsConfig(sandboxUsernsOpts, nsOpts.GetUsernsOptions()) {
return nil, fmt.Errorf("user namespace config for sandbox is different from container. Sandbox userns config: %v - Container userns config: %v", sandboxUsernsOpts, nsOpts.GetUsernsOptions())
}
specOpts = append(specOpts,
customopts.WithOOMScoreAdj(config, c.config.RestrictOOMScoreAdj),
customopts.WithPodNamespaces(securityContext, sandboxPid, targetPid, uids, gids),