Merge pull request #1504 from lorenz/ignore-image-defined-volumes

Add option for ignoring volumes defined in images
2020-06-14 11:52:48 -05:00
parent 26dc5b9772 5a1d49b063
commit b661ad711e
5 changed files with 19 additions and 3 deletions
--- a/docs/config.md
+++ b/docs/config.md
@@ -45,6 +45,11 @@ version = 2
  # It generates a self-sign certificate unless the following x509_key_pair_streaming are both set.
  enable_tls_streaming = false

+  # ignore_image_defined_volumes ignores volumes defined by the image. Useful for better resource
+	# isolation, security and early detection of issues in the mount configuration when using
+	# ReadOnlyRootFilesystem since containers won't silently mount a temporary volume.
+  ignore_image_defined_volumes = false
+
  # 'plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming' contains a x509 valid key pair to stream with tls.
  [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
    # tls_cert_file is the filepath to the certificate paired with the "tls_key_file"