ca16bd601a
Some CRI compatible runtimes may not support provileged operations. Specifically hypervisor based runtimes (like kata-containers, cc-runtime and runv) do not support privileged operations like: - Provide access to the host namespaces - Create fully privileged containers with access to host devices Hypervisor based runtimes create container workloads within virtual machines. When a running host privileged containers using them, they wont provide support to requested the privileged opertations. This commits add the new options to define two runtimes: Trusted runtime : Used when a privileged container is requested. Default runtime : for non-privileged workloads. A container that belongs to a privileged pod will inherent this property an will be created with the trusted runtime. - Add options to define trusted runtime - Add logic to decide if a sanbox is trusted - Export annotation containers below to a trusted sandbox Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com> |
||
|---|---|---|
| .. | ||
| annotations.go | ||