Merge pull request #5939 from scuzhanglei/privileged-device
This commit is contained in:
Fu Wei
@@ -213,6 +213,9 @@ func (c *criService) containerSpec(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
specOpts = append(specOpts, customopts.WithDevices(c.os, config, c.config.DeviceOwnershipFromSecurityContext),
|
||||||
|
customopts.WithCapabilities(securityContext, c.allCaps))
|
||||||
|
|
||||||
if securityContext.GetPrivileged() {
|
if securityContext.GetPrivileged() {
|
||||||
if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
|
if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
|
||||||
return nil, errors.New("no privileged container allowed in sandbox")
|
return nil, errors.New("no privileged container allowed in sandbox")
|
||||||
@@ -220,14 +223,7 @@ func (c *criService) containerSpec(
|
|||||||
specOpts = append(specOpts, oci.WithPrivileged)
|
specOpts = append(specOpts, oci.WithPrivileged)
|
||||||
if !ociRuntime.PrivilegedWithoutHostDevices {
|
if !ociRuntime.PrivilegedWithoutHostDevices {
|
||||||
specOpts = append(specOpts, oci.WithHostDevices, oci.WithAllDevicesAllowed)
|
specOpts = append(specOpts, oci.WithHostDevices, oci.WithAllDevicesAllowed)
|
||||||
} else {
|
|
||||||
// add requested devices by the config as host devices are not automatically added
|
|
||||||
specOpts = append(specOpts, customopts.WithDevices(c.os, config, c.config.DeviceOwnershipFromSecurityContext),
|
|
||||||
customopts.WithCapabilities(securityContext, c.allCaps))
|
|
||||||
}
|
}
|
||||||
} else { // not privileged
|
|
||||||
specOpts = append(specOpts, customopts.WithDevices(c.os, config, c.config.DeviceOwnershipFromSecurityContext),
|
|
||||||
customopts.WithCapabilities(securityContext, c.allCaps))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Clear all ambient capabilities. The implication of non-root + caps
|
// Clear all ambient capabilities. The implication of non-root + caps
|
||||||
|
|||||||
Reference in New Issue
Block a user