-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[cri] don't clear base security settings #4791
Conversation
When a base runtime spec is being used, admins can configure defaults for the spec so that default ulimits or other security related settings get applied for all containers launched. Signed-off-by: Michael Crosby <michael@thepasture.io>
Build succeeded.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking out loud.. The opt is to remove some defaults we didn't want to be there..(no default seccomp/apparmor is specified, and Remove default rlimits). Hmm.. With base runtime spec in play we need to know the source of the defaulting before making that decision. If on the deep copy of the BaseRuntimeSpec these fields are included then we shouldn't remove that makes sense. But if they are not included in the BaseRuntimeSpec I think we still need to remove them?
Maybe add a WithBaseRuntimeSpec.. so we can control the timing of the deep copy?
I believe the timing part is fine where it's currently located. If you look at the "if" statement, we basically only add this opt if the base runtime spec is empty. Could you comment on the code lines where you think this will be an issue? |
Here's the original code.. I believe you replaced it with: Here's the original issue for the rlimits filter.. And the rlimits: may be ok on the seccomp/apparmor defaults... that might have carried over from when we were using oci runtime tools to generate the spec? https://github.com/opencontainers/runtime-tools/blob/master/generate/generate.go#L238 |
Yep, all your links are correct. I think maybe you are miss understanding when this isn't applied. We still clear these like normal, for the normal use case. My change is that, when you have the |
Build succeeded.
|
ah.. you are correct. I was thinking (wrongly) that any fields not touched in the base spec would be as set in the default spec... I see now that it's an either base file or default go settings thing. Thx! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
No worries, that file and method are really big, they should probably be refactored sometime as it's hard to follow along with the code. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
When a base runtime spec is being used, admins can configure defaults for the
spec so that default ulimits or other security related settings get applied for
all containers launched.
Signed-off-by: Michael Crosby michael@thepasture.io