Update cri to 0165d516161e25e52b4ab52a404a00823f8f0ef6

Signed-off-by: Nishchay Kumar <mrawesomenix@gmail.com>

vendor.conf

@@ -48,7 +48,7 @@ github.com/hashicorp/golang-lru v0.5.3
 go.opencensus.io v0.22.0
 
 # cri dependencies
-github.com/containerd/cri f1d492b0cdd14e76476ee4dd024696ce3634e501 # master
+github.com/containerd/cri 0165d516161e25e52b4ab52a404a00823f8f0ef6 # master
 github.com/containerd/go-cni 49fbd9b210f3c8ee3b7fd3cd797aabaf364627c1
 github.com/containernetworking/cni v0.7.1
 github.com/containernetworking/plugins v0.7.6

vendor/github.com/containerd/cri/pkg/server/container_create.go

@@ -374,11 +374,11 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 
 	if !c.config.DisableProcMount {
 		// Apply masked paths if specified.
-		// Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged()
+		// If the container is privileged, this will be cleared later on.
 		specOpts = append(specOpts, oci.WithMaskedPaths(securityContext.GetMaskedPaths()))
 
 		// Apply readonly paths if specified.
-		// Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged()
+		// If the container is privileged, this will be cleared later on.
 		specOpts = append(specOpts, oci.WithReadonlyPaths(securityContext.GetReadonlyPaths()))
 	}
 
@@ -577,18 +577,17 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 		return nil, nil
 	}
 	switch apparmorProf {
-	case runtimeDefault:
+	// Based on kubernetes#51746, default apparmor profile should be applied
+	// for when apparmor is not specified.
+	case runtimeDefault, "":
+		if privileged {
+			// Do not set apparmor profile when container is privileged
+			return nil, nil
+		}
 		// TODO (mikebrow): delete created apparmor default profile
 		return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
 	case unconfinedProfile:
 		return nil, nil
-	case "":
-		// Based on kubernetes#51746, default apparmor profile should be applied
-		// for non-privileged container when apparmor is not specified.
-		if privileged {
-			return nil, nil
-		}
-		return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
 	default:
 		// Require and Trim default profile name prefix
 		if !strings.HasPrefix(apparmorProf, profileNamePrefix) {

vendor/github.com/containerd/cri/pkg/server/image_pull.go

@@ -187,7 +187,8 @@ func ParseAuth(auth *runtime.AuthConfig, host string) (string, string, error) {
 		return user, strings.Trim(passwd, "\x00"), nil
 	}
 	// TODO(random-liu): Support RegistryToken.
-	return "", "", errors.New("invalid auth config")
+	// An empty auth config is valid for anonymous registry
+	return "", "", nil
 }
 
 // createImageReference creates image reference inside containerd image store.