[cri] don't clear base security settings

When a base runtime spec is being used, admins can configure defaults for the spec so that default ulimits or other security related settings get applied for all containers launched. Signed-off-by: Michael Crosby <michael@thepasture.io>
containerd · Dec 2, 2020 · 3d358c9 · 3d358c9
1 parent 7126310
commit 3d358c9
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go
@@ -114,13 +114,20 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
 
 	specOpts := []oci.SpecOpts{
 		customopts.WithoutRunMount,
-		customopts.WithoutDefaultSecuritySettings,
+	}
+	// only clear the default security settings if the runtime does not have a custom
+	// base runtime spec spec.  Admins can use this functionality to define
+	// default ulimits, seccomp, or other default settings.
+	if ociRuntime.BaseRuntimeSpec == "" {
+		specOpts = append(specOpts, customopts.WithoutDefaultSecuritySettings)
+	}
+	specOpts = append(specOpts,
 		customopts.WithRelativeRoot(relativeRootfsPath),
 		customopts.WithProcessArgs(config, imageConfig),
 		oci.WithDefaultPathEnv,
 		// this will be set based on the security context below
 		oci.WithNewPrivileges,
-	}
+	)
 	if config.GetWorkingDir() != "" {
 		specOpts = append(specOpts, oci.WithProcessCwd(config.GetWorkingDir()))
 	} else if imageConfig.WorkingDir != "" {