|
| 1 | +From 976ab1f4c916099fc1f2e6569f13e45df2f26b4f Mon Sep 17 00:00:00 2001 |
| 2 | +From: Peter Hunt <pehunt@redhat.com> |
| 3 | +Date: Tue, 26 Mar 2024 12:07:17 -0400 |
| 4 | +Subject: [PATCH] annotations: add OCI runtime specific annotations to the |
| 5 | + AllowedAnnotations |
| 6 | + |
| 7 | +meaning an admin would have to opt-into allowing them to be used |
| 8 | + |
| 9 | +Signed-off-by: Peter Hunt <pehunt@redhat.com> |
| 10 | +--- |
| 11 | + pkg/annotations/annotations.go | 13 +++++++++++++ |
| 12 | + 1 file changed, 13 insertions(+) |
| 13 | + |
| 14 | +diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go |
| 15 | +index 51920eb..e517f18 100644 |
| 16 | +--- a/pkg/annotations/annotations.go |
| 17 | ++++ b/pkg/annotations/annotations.go |
| 18 | +@@ -48,4 +48,17 @@ var AllAllowedAnnotations = []string{ |
| 19 | + OCISeccompBPFHookAnnotation, |
| 20 | + rdt.RdtContainerAnnotation, |
| 21 | + TrySkipVolumeSELinuxLabelAnnotation, |
| 22 | ++ // Keep in sync with |
| 23 | ++ // https://github.com/opencontainers/runc/blob/3db0871f1cf25c7025861ba0d51d25794cb21623/features.go#L67 |
| 24 | ++ // Once runc 1.2 is released, we can use the `runc features` command to get this programatically, |
| 25 | ++ // but we should hardcode these for now to prevent misuse. |
| 26 | ++ "bundle", |
| 27 | ++ "org.systemd.property.", |
| 28 | ++ "org.criu.config", |
| 29 | ++ |
| 30 | ++ // Simiarly, keep in sync with |
| 31 | ++ // https://github.com/containers/crun/blob/475a3fd0be/src/libcrun/container.c#L362-L366 |
| 32 | ++ "module.wasm.image/variant", |
| 33 | ++ "io.kubernetes.cri.container-type", |
| 34 | ++ "run.oci.", |
| 35 | + } |
| 36 | +-- |
| 37 | +2.33.8 |
| 38 | + |
0 commit comments