Rename runtime/default to docker default
This commit is contained in:
@@ -819,9 +819,8 @@ func RunDockershim(c *componentconfig.KubeletConfiguration, r *options.Container
|
||||
SupportedPortForwardProtocols: streaming.DefaultConfig.SupportedPortForwardProtocols,
|
||||
}
|
||||
|
||||
ds, err := dockershim.NewDockerService(dockerClient, r.PodSandboxImage,
|
||||
streamingConfig, &pluginSettings, c.RuntimeCgroups, c.CgroupDriver, r.DockerExecHandlerName, r.DockershimRootDirectory,
|
||||
r.DockerDisableSharedPID)
|
||||
ds, err := dockershim.NewDockerService(dockerClient, r.PodSandboxImage, streamingConfig, &pluginSettings,
|
||||
c.RuntimeCgroups, c.CgroupDriver, r.DockerExecHandlerName, r.DockershimRootDirectory, r.DockerDisableSharedPID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@@ -483,10 +483,11 @@ type LinuxSandboxSecurityContext struct {
|
||||
// privileged containers are expected to be run.
|
||||
Privileged bool `protobuf:"varint,6,opt,name=privileged,proto3" json:"privileged,omitempty"`
|
||||
// Seccomp profile for the sandbox, candidate values are:
|
||||
// * runtime/default: the default profile for the container runtime
|
||||
// * docker/default: the default profile for the docker container runtime
|
||||
// * unconfined: unconfined profile, ie, no seccomp sandboxing
|
||||
// * localhost/<full-path-to-profile>: the profile installed on the node.
|
||||
// <full-path-to-profile> is the full path of the profile.
|
||||
// Default: "", which is identical with unconfined.
|
||||
SeccompProfilePath string `protobuf:"bytes,7,opt,name=seccomp_profile_path,json=seccompProfilePath,proto3" json:"seccomp_profile_path,omitempty"`
|
||||
}
|
||||
|
||||
@@ -1364,10 +1365,11 @@ type LinuxContainerSecurityContext struct {
|
||||
// http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
|
||||
ApparmorProfile string `protobuf:"bytes,9,opt,name=apparmor_profile,json=apparmorProfile,proto3" json:"apparmor_profile,omitempty"`
|
||||
// Seccomp profile for the container, candidate values are:
|
||||
// * runtime/default: the default profile for the container runtime
|
||||
// * docker/default: the default profile for the docker container runtime
|
||||
// * unconfined: unconfined profile, ie, no seccomp sandboxing
|
||||
// * localhost/<full-path-to-profile>: the profile installed on the node.
|
||||
// <full-path-to-profile> is the full path of the profile.
|
||||
// Default: "", which is identical with unconfined.
|
||||
SeccompProfilePath string `protobuf:"bytes,10,opt,name=seccomp_profile_path,json=seccompProfilePath,proto3" json:"seccomp_profile_path,omitempty"`
|
||||
// no_new_privs defines if the flag for no_new_privs should be set on the
|
||||
// container.
|
||||
|
@@ -203,10 +203,11 @@ message LinuxSandboxSecurityContext {
|
||||
// privileged containers are expected to be run.
|
||||
bool privileged = 6;
|
||||
// Seccomp profile for the sandbox, candidate values are:
|
||||
// * runtime/default: the default profile for the container runtime
|
||||
// * docker/default: the default profile for the docker container runtime
|
||||
// * unconfined: unconfined profile, ie, no seccomp sandboxing
|
||||
// * localhost/<full-path-to-profile>: the profile installed on the node.
|
||||
// <full-path-to-profile> is the full path of the profile.
|
||||
// Default: "", which is identical with unconfined.
|
||||
string seccomp_profile_path = 7;
|
||||
}
|
||||
|
||||
@@ -515,10 +516,11 @@ message LinuxContainerSecurityContext {
|
||||
// http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
|
||||
string apparmor_profile = 9;
|
||||
// Seccomp profile for the container, candidate values are:
|
||||
// * runtime/default: the default profile for the container runtime
|
||||
// * docker/default: the default profile for the docker container runtime
|
||||
// * unconfined: unconfined profile, ie, no seccomp sandboxing
|
||||
// * localhost/<full-path-to-profile>: the profile installed on the node.
|
||||
// <full-path-to-profile> is the full path of the profile.
|
||||
// Default: "", which is identical with unconfined.
|
||||
string seccomp_profile_path = 10;
|
||||
// no_new_privs defines if the flag for no_new_privs should be set on the
|
||||
// container.
|
||||
|
@@ -78,7 +78,7 @@ func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
|
||||
return []dockerOpt{{"seccomp", b.String(), msg}}, nil
|
||||
}
|
||||
|
||||
// getSeccompSecurityOpts gets container seccomp options from container security context.
|
||||
// getSeccompSecurityOpts gets container seccomp options from container seccomp profile.
|
||||
// It is an experimental feature and may be promoted to official runtime api in the future.
|
||||
func getSeccompSecurityOpts(seccompProfile string, separator rune) ([]string, error) {
|
||||
seccompOpts, err := getSeccompDockerOpts(seccompProfile)
|
||||
|
@@ -62,6 +62,8 @@ func TestLoadSeccompLocalhostProfiles(t *testing.T) {
|
||||
expectErr bool
|
||||
}{{
|
||||
msg: "Seccomp localhost/test profile",
|
||||
// We are abusing localhost for loading test seccomp profiles.
|
||||
// The profile should be an absolute path while we are using a relative one.
|
||||
seccompProfile: "localhost/fixtures/seccomp/test",
|
||||
expectedOpts: []string{`seccomp={"foo":"bar"}`},
|
||||
expectErr: false,
|
||||
|
@@ -577,8 +577,8 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration,
|
||||
case kubetypes.DockerContainerRuntime:
|
||||
// Create and start the CRI shim running as a grpc server.
|
||||
streamingConfig := getStreamingConfig(kubeCfg, kubeDeps)
|
||||
ds, err := dockershim.NewDockerService(kubeDeps.DockerClient, crOptions.PodSandboxImage,
|
||||
streamingConfig, &pluginSettings, kubeCfg.RuntimeCgroups, kubeCfg.CgroupDriver, crOptions.DockerExecHandlerName,
|
||||
ds, err := dockershim.NewDockerService(kubeDeps.DockerClient, crOptions.PodSandboxImage, streamingConfig,
|
||||
&pluginSettings, kubeCfg.RuntimeCgroups, kubeCfg.CgroupDriver, crOptions.DockerExecHandlerName,
|
||||
crOptions.DockershimRootDirectory, crOptions.DockerDisableSharedPID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@@ -258,7 +258,7 @@ func getSysctlsFromAnnotations(annotations map[string]string) (map[string]string
|
||||
}
|
||||
|
||||
// getSeccompProfileFromAnnotations gets seccomp profile from annotations.
|
||||
// It gets pod's profile if containerName is null.
|
||||
// It gets pod's profile if containerName is empty.
|
||||
func (m *kubeGenericRuntimeManager) getSeccompProfileFromAnnotations(annotations map[string]string, containerName string) string {
|
||||
// try the pod profile.
|
||||
profile, profileOK := annotations[v1.SeccompPodAnnotationKey]
|
||||
|
Reference in New Issue
Block a user