github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

runtime: Add trusted runtime option

Browse Source 
Some CRI compatible runtimes may not support provileged operations.
Specifically hypervisor based runtimes (like kata-containers, cc-runtime
and runv) do not support privileged operations like:

- Provide access to the host namespaces
- Create fully privileged containers with access to host devices

Hypervisor based runtimes create container workloads within virtual machines.
When a running host privileged containers using them,
they wont provide support to requested the privileged opertations.

This commits add the new options to define two runtimes:

Trusted runtime : Used when a privileged container is requested.
Default runtime : for non-privileged workloads.

A container that belongs to a privileged pod will inherent this property
an will be created with the trusted runtime.

- Add options to define trusted runtime
- Add logic to decide if a sanbox is trusted
- Export annotation containers below to a trusted sandbox

Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This commit is contained in:
Jose Carlos Venegas Munoz
2018-03-12 00:24:14 -06:00
parent 013ab03a53
commit ca16bd601a
5 changed files with 89 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/server/helpers.go
View File

@@ -35,9 +35,11 @@ import (
"github.com/opencontainers/selinux/go-selinux"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"golang.org/x/net/context"
runtime "k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2"
criconfig "github.com/containerd/cri/pkg/config"
"github.com/containerd/cri/pkg/store"
imagestore "github.com/containerd/cri/pkg/store/image"
"github.com/containerd/cri/pkg/util"
@@ -407,3 +409,18 @@ func getPodCNILabels(id string, config *runtime.PodSandboxConfig) map[string]str
"IgnoreUnknown": "1",
}
}
// getRuntime returns the runtime configuration
// If the container is privileged, it will return
// the privileged runtime else not.
func (c *criService) getRuntime(privileged bool) (runtime criconfig.Runtime) {
runtime = c.config.ContainerdConfig.DefaultRuntime
if privileged && c.config.ContainerdConfig.PrivilegedRuntime.Engine != "" {
runtime = c.config.ContainerdConfig.PrivilegedRuntime
}
logrus.Debugf("runtime=%s(%s), runtime root='%s', privileged='%v'", runtime.Type, runtime.Engine, runtime.Root, privileged)
return runtime
}