github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

adds explanation for seccomp unset/unconfined default vs runtime default

Browse Source 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
This commit is contained in:
Mike Brown 2021-06-07 17:57:18 -05:00
parent 7d77b51b49
commit 7a2b04758b
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/cri/config.md
View File

@ -97,8 +97,14 @@ version = 2
# when using containerd with Kubernetes <=1.11. # when using containerd with Kubernetes <=1.11.
disable_proc_mount = false disable_proc_mount = false
# unsetSeccompProfile is the profile containerd/cri will use if the provided seccomp profile is # unset_seccomp_profile is the seccomp profile containerd/cri will use if the seccomp
# unset (`""`) for a container (default is `unconfined`) # profile requested over CRI is unset (or nil) for a pod/container (otherwise if this field is not set the
# default unset profile will map to `unconfined`)
# Note: The default unset seccomp profile should not be confused with the seccomp profile
# used in CRI when the runtime default seccomp profile is requested. In the later case, the
# default is set by the following code (https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go).
# To summarize, there are two different seccomp defaults, the unset default used when the CRI request is
# set to nil or `unconfined`, and the default used when the runtime default seccomp profile is requested.
unset_seccomp_profile = "" unset_seccomp_profile = ""
# 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd # 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd