add oci.WithAllDevicesAllowed flag for privileged_without_host_devices

This commit adds a flag that enable all devices whitelisting when privileged_without_host_devices is already enabled. Fixes #5679 Signed-off-by: Dat Nguyen <dnguyen7@atlassian.com>
2021-07-05 13:21:12 +10:00
parent 493220b719
commit afe39bebfe
5 changed files with 65 additions and 9 deletions
--- a/pkg/cri/config/config_test.go
+++ b/pkg/cri/config/config_test.go
@@ -360,6 +360,21 @@ func TestValidateConfig(t *testing.T) {
 			},
 			expectedErr: "`configs.tls` cannot be set when `config_path` is provided",
 		},
+		"privileged_without_host_devices_all_devices_allowed without privileged_without_host_devices": {
+			config: &PluginConfig{
+				ContainerdConfig: ContainerdConfig{
+					DefaultRuntimeName: RuntimeDefault,
+					Runtimes: map[string]Runtime{
+						RuntimeDefault: {
+							PrivilegedWithoutHostDevices:                  false,
+							PrivilegedWithoutHostDevicesAllDevicesAllowed: true,
+							Type: "default",
+						},
+					},
+				},
+			},
+			expectedErr: "`privileged_without_host_devices_all_devices_allowed` requires `privileged_without_host_devices` to be enabled",
+		},
 	} {
 		t.Run(desc, func(t *testing.T) {
 			err := ValidatePluginConfig(context.Background(), test.config)