Eric Ernst 9a01272dc2 sandbox: separate host accessing workload and privileged ...

VM isolated runtimes can support privileged workloads. In this
scenario, access to the guest VM is provided instead of the host.
Based on this, allow untrusted runtimes to run privileged workloads.

If the workload is specifically asking for node PID/IPC/network, etc.,
then continue to require the trusted runtime.

This commit repurposes the hostPrivilegedSandbox utility function to
only check for node namespace checking.

Fixes: #855

Signed-off-by: Eric Ernst <eric.ernst@intel.com>

2018-07-22 16:51:22 -07:00

..

annotations

Address comments for privileged runtime code.

2018-03-23 02:17:46 +00:00

api/v1

Rename all variables to remove "cricontainerd".

2018-03-19 21:59:32 +00:00

atomic

Use containerd grpc server

2018-01-18 18:51:18 +00:00

client

Fix ctr cri timeout.

2018-06-05 01:24:28 +00:00

config

support no_pivot option for runc

2018-07-20 08:46:50 +08:00

constants

Use direct function call.

2018-03-13 04:51:19 +00:00

containerd

Remove pkg/containerd/resolver package.

2018-07-09 19:08:48 -07:00

ioutil

Add max_container_log_size

2018-06-14 14:24:17 -07:00

log

Use trace support in containerd.

2018-02-07 19:17:26 +00:00

os

os.Unmount: do not consult mountinfo, drop flags

2018-04-30 12:54:10 -07:00

registrar

Use github.com/pkg/errors

2018-03-17 02:24:38 +00:00

server

sandbox: separate host accessing workload and privileged

2018-07-22 16:51:22 -07:00

store

os.Unmount: do not consult mountinfo, drop flags

2018-04-30 12:54:10 -07:00

util

Replace stringid with simple rand reader

2018-07-12 16:40:45 -07:00