runtime: Add trusted runtime option
Some CRI compatible runtimes may not support provileged operations. Specifically hypervisor based runtimes (like kata-containers, cc-runtime and runv) do not support privileged operations like: - Provide access to the host namespaces - Create fully privileged containers with access to host devices Hypervisor based runtimes create container workloads within virtual machines. When a running host privileged containers using them, they wont provide support to requested the privileged opertations. This commits add the new options to define two runtimes: Trusted runtime : Used when a privileged container is requested. Default runtime : for non-privileged workloads. A container that belongs to a privileged pod will inherent this property an will be created with the trusted runtime. - Add options to define trusted runtime - Add logic to decide if a sanbox is trusted - Export annotation containers below to a trusted sandbox Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This commit is contained in:
Jose Carlos Venegas Munoz
@@ -31,4 +31,7 @@ const (
|
||||
|
||||
// SandboxID is the sandbox ID annotation
|
||||
SandboxID = "io.kubernetes.cri.sandbox-id"
|
||||
|
||||
// PrivilegedSandbox is the privileged annotation
|
||||
PrivilegedSandbox = "io.kubernetes.cri.privileged-sandbox"
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user