diff --git a/vendor.conf b/vendor.conf index d8063b2a9..6233a59af 100644 --- a/vendor.conf +++ b/vendor.conf @@ -48,7 +48,7 @@ github.com/hashicorp/golang-lru v0.5.3 go.opencensus.io v0.22.0 # cri dependencies -github.com/containerd/cri f1d492b0cdd14e76476ee4dd024696ce3634e501 # master +github.com/containerd/cri 0165d516161e25e52b4ab52a404a00823f8f0ef6 # master github.com/containerd/go-cni 49fbd9b210f3c8ee3b7fd3cd797aabaf364627c1 github.com/containernetworking/cni v0.7.1 github.com/containernetworking/plugins v0.7.6 diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go index d6f9779c4..d34e66754 100644 --- a/vendor/github.com/containerd/cri/pkg/server/container_create.go +++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go @@ -374,11 +374,11 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP if !c.config.DisableProcMount { // Apply masked paths if specified. - // Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged() + // If the container is privileged, this will be cleared later on. specOpts = append(specOpts, oci.WithMaskedPaths(securityContext.GetMaskedPaths())) // Apply readonly paths if specified. - // Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged() + // If the container is privileged, this will be cleared later on. specOpts = append(specOpts, oci.WithReadonlyPaths(securityContext.GetReadonlyPaths())) } @@ -577,18 +577,17 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b return nil, nil } switch apparmorProf { - case runtimeDefault: + // Based on kubernetes#51746, default apparmor profile should be applied + // for when apparmor is not specified. + case runtimeDefault, "": + if privileged { + // Do not set apparmor profile when container is privileged + return nil, nil + } // TODO (mikebrow): delete created apparmor default profile return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil case unconfinedProfile: return nil, nil - case "": - // Based on kubernetes#51746, default apparmor profile should be applied - // for non-privileged container when apparmor is not specified. - if privileged { - return nil, nil - } - return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil default: // Require and Trim default profile name prefix if !strings.HasPrefix(apparmorProf, profileNamePrefix) { diff --git a/vendor/github.com/containerd/cri/pkg/server/image_pull.go b/vendor/github.com/containerd/cri/pkg/server/image_pull.go index daa388481..942dcbeea 100644 --- a/vendor/github.com/containerd/cri/pkg/server/image_pull.go +++ b/vendor/github.com/containerd/cri/pkg/server/image_pull.go @@ -187,7 +187,8 @@ func ParseAuth(auth *runtime.AuthConfig, host string) (string, string, error) { return user, strings.Trim(passwd, "\x00"), nil } // TODO(random-liu): Support RegistryToken. - return "", "", errors.New("invalid auth config") + // An empty auth config is valid for anonymous registry + return "", "", nil } // createImageReference creates image reference inside containerd image store.