From 84875e34a21b81ce9070c00677dea710e3b82da1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 11 Jan 2021 14:05:48 +0100 Subject: [PATCH] controllers: Prevent host devices from being passed to privileged containers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `privileged_without_host_devices` is an option from CRI-O configuration files that controls whether the runtime handler will prevent host devices from being passed to privileged containers. Its default value is `false` and we're switching it to `true` in order to avoid exposing the host's `/dev`. Signed-off-by: Fabiano FidĂȘncio --- controllers/openshift_controller.go | 1 + 1 file changed, 1 insertion(+) diff --git a/controllers/openshift_controller.go b/controllers/openshift_controller.go index 937dd293..91aeff83 100644 --- a/controllers/openshift_controller.go +++ b/controllers/openshift_controller.go @@ -345,6 +345,7 @@ func generateDropinConfig(handlerName string) (string, error) { runtime_path = "/usr/bin/containerd-shim-kata-v2" runtime_type = "vm" runtime_root = "/run/vc" + privileged_without_host_devices = true [crio.runtime.runtimes.runc] runtime_path = ""