Merge pull request #3607 from awesomenix/updatecri

Update cri to 0165d516161e25e52b4ab52a404a00823f8f0ef6
2019-09-04 13:42:29 -07:00 · 2019-09-04 13:42:29 -07:00 · d540b10c75
commit d540b10c75
parent f76eefd272 b6c811b7a4
3 changed files with 12 additions and 12 deletions
--- a/vendor.conf
+++ b/vendor.conf
@ -49,7 +49,7 @@ go.opencensus.io v0.22.0
 github.com/imdario/mergo v0.3.7

 # cri dependencies
-github.com/containerd/cri f1d492b0cdd14e76476ee4dd024696ce3634e501 # master
+github.com/containerd/cri 0165d516161e25e52b4ab52a404a00823f8f0ef6 # master
 github.com/containerd/go-cni 49fbd9b210f3c8ee3b7fd3cd797aabaf364627c1
 github.com/containernetworking/cni v0.7.1
 github.com/containernetworking/plugins v0.7.6
--- a/vendor/github.com/containerd/cri/pkg/server/container_create.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go
@ -374,11 +374,11 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP

 	if !c.config.DisableProcMount {
 		// Apply masked paths if specified.
-		// Note: If the container is privileged, then we clear any masked paths later on in the call to setOCIPrivileged()
+		// If the container is privileged, this will be cleared later on.
 		specOpts = append(specOpts, oci.WithMaskedPaths(securityContext.GetMaskedPaths()))

 		// Apply readonly paths if specified.
-		// Note: If the container is privileged, then we clear any readonly paths later on in the call to setOCIPrivileged()
+		// If the container is privileged, this will be cleared later on.
 		specOpts = append(specOpts, oci.WithReadonlyPaths(securityContext.GetReadonlyPaths()))
 	}

@ -577,18 +577,17 @@ func generateApparmorSpecOpts(apparmorProf string, privileged, apparmorEnabled b
 		return nil, nil
 	}
 	switch apparmorProf {
-	case runtimeDefault:
+	// Based on kubernetes#51746, default apparmor profile should be applied
+	// for when apparmor is not specified.
+	case runtimeDefault, "":
+		if privileged {
+			// Do not set apparmor profile when container is privileged
+			return nil, nil
+		}
 		// TODO (mikebrow): delete created apparmor default profile
 		return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
 	case unconfinedProfile:
 		return nil, nil
-	case "":
-		// Based on kubernetes#51746, default apparmor profile should be applied
-		// for non-privileged container when apparmor is not specified.
-		if privileged {
-			return nil, nil
-		}
-		return apparmor.WithDefaultProfile(appArmorDefaultProfileName), nil
 	default:
 		// Require and Trim default profile name prefix
 		if !strings.HasPrefix(apparmorProf, profileNamePrefix) {
--- a/vendor/github.com/containerd/cri/pkg/server/image_pull.go
+++ b/vendor/github.com/containerd/cri/pkg/server/image_pull.go
@ -187,7 +187,8 @@ func ParseAuth(auth *runtime.AuthConfig, host string) (string, string, error) {
 		return user, strings.Trim(passwd, "\x00"), nil
 	}
 	// TODO(random-liu): Support RegistryToken.
-	return "", "", errors.New("invalid auth config")
+	// An empty auth config is valid for anonymous registry
+	return "", "", nil
 }

 // createImageReference creates image reference inside containerd image store.