adds explanation for seccomp unset/unconfined default vs runtime default

Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2021-06-07 17:57:18 -05:00 · 2021-06-07 17:57:18 -05:00 · 7a2b04758b
commit 7a2b04758b
parent 7d77b51b49
1 changed files with 8 additions and 2 deletions
--- a/docs/cri/config.md
+++ b/docs/cri/config.md
@ -97,8 +97,14 @@ version = 2
  # when using containerd with Kubernetes <=1.11.
  disable_proc_mount = false

-  # unsetSeccompProfile is the profile containerd/cri will use if the provided seccomp profile is
-  # unset (`""`) for a container (default is `unconfined`)
+  # unset_seccomp_profile is the seccomp profile containerd/cri will use if the seccomp
+  # profile requested over CRI is unset (or nil) for a pod/container (otherwise if this field is not set the
+  # default unset profile will map to `unconfined`)
+    # Note: The default unset seccomp profile should not be confused with the seccomp profile
+    # used in CRI when the runtime default seccomp profile is requested. In the later case, the
+    # default is set by the following code (https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go).
+    # To summarize, there are two different seccomp defaults, the unset default used when the CRI request is
+    # set to nil or `unconfined`, and the default used when the runtime default seccomp profile is requested.
  unset_seccomp_profile = ""

  # 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd