github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Update docs for unset seccomp profile

Browse Source 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
This commit is contained in:
Maksym Pavlenko 2020-05-10 10:46:58 -07:00
parent 38f19f991e
commit 674fe72aa8
4 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/config.md
View File

@ -78,6 +78,10 @@ version = 2
# when using containerd with Kubernetes <=1.11. # when using containerd with Kubernetes <=1.11.
disable_proc_mount = false disable_proc_mount = false
# unsetSeccompProfile is the profile containerd/cri will use if the provided seccomp profile is
# unset (`""`) for a container (default is `unconfined`)
unset_seccomp_profile = ""
# 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd # 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd
[plugins."io.containerd.grpc.v1.cri".containerd] [plugins."io.containerd.grpc.v1.cri".containerd]

5
pkg/config/config.go
View File

@ -225,8 +225,9 @@ type PluginConfig struct {
// DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true` // DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true`
// when using containerd with Kubernetes <=1.11. // when using containerd with Kubernetes <=1.11.
DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"` DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"`
// DefaultSeccompProfile is a seccomp profile to use if not provided by k8s. // UnsetSeccompProfile is the profile containerd/cri will use If the provided seccomp profile is
DefaultSeccompProfile string `toml:"default_seccomp_profile" json:"defaultSeccompProfile"` // unset (`""`) for a container (default is `unconfined`)
UnsetSeccompProfile string `toml:"unset_seccomp_profile" json:"unsetSeccompProfile"`
} }
// X509KeyPairStreaming contains the x509 configuration for streaming // X509KeyPairStreaming contains the x509 configuration for streaming

2
pkg/server/container_create_unix.go
View File

@ -306,7 +306,7 @@ func (c *criService) generateSeccompSpecOpts(seccompProf string, privileged, sec
return nil, nil return nil, nil
} }
if seccompProf == "" { if seccompProf == "" {
seccompProf = c.config.DefaultSeccompProfile seccompProf = c.config.UnsetSeccompProfile
} }
// Set seccomp profile // Set seccomp profile
if seccompProf == runtimeDefault || seccompProf == dockerDefault { if seccompProf == runtimeDefault || seccompProf == dockerDefault {

2
pkg/server/container_create_unix_test.go
View File

@ -837,7 +837,7 @@ func TestGenerateSeccompSpecOpts(t *testing.T) {
} { } {
t.Run(fmt.Sprintf("TestCase %q", desc), func(t *testing.T) { t.Run(fmt.Sprintf("TestCase %q", desc), func(t *testing.T) {
cri := &criService{} cri := &criService{}
cri.config.DefaultSeccompProfile = test.defaultProfile cri.config.UnsetSeccompProfile = test.defaultProfile
specOpts, err := cri.generateSeccompSpecOpts(test.profile, test.privileged, !test.disable) specOpts, err := cri.generateSeccompSpecOpts(test.profile, test.privileged, !test.disable)
assert.Equal(t, assert.Equal(t,
reflect.ValueOf(test.specOpts).Pointer(), reflect.ValueOf(test.specOpts).Pointer(),