diff --git a/pkg/container/container.go b/pkg/container/container.go index 1e59371e737..554430e5339 100644 --- a/pkg/container/container.go +++ b/pkg/container/container.go @@ -157,7 +157,7 @@ func (c *container) SpecAddAnnotations(ctx context.Context, sb *sandbox.Sandbox, // The sandbox annotations are already filtered for the allowed // annotations, there is no need to check it additionally here. for k, v := range sb.Annotations() { - if strings.HasPrefix(k, crioann.OCISeccompBPFHookAnnotation) { + if k == crioann.OCISeccompBPFHookAnnotation+"/"+c.config.Metadata.Name { // The OCI seccomp BPF hook // (https://github.com/containers/oci-seccomp-bpf-hook) // uses the annotation io.containers.trace-syscall as indicator @@ -171,17 +171,14 @@ func (c *container) SpecAddAnnotations(ctx context.Context, sb *sandbox.Sandbox, // 'io.containers.trace-syscall' if the metadata name is equal // to 'container'. This allows us to trace containers into // distinguishable files. - if strings.TrimPrefix(k, crioann.OCISeccompBPFHookAnnotation+"/") == c.config.Metadata.Name { - log.Debugf(ctx, - "Annotation key for container %q rewritten to %q (value is: %q)", - c.config.Metadata.Name, crioann.OCISeccompBPFHookAnnotation, v, - ) - c.config.Annotations[crioann.OCISeccompBPFHookAnnotation] = v - c.spec.AddAnnotation(crioann.OCISeccompBPFHookAnnotation, v) - } else { - // Annotation not suffixed with the container name - c.spec.AddAnnotation(k, v) - } + log.Debugf(ctx, + "Annotation key for container %q rewritten to %q (value is: %q)", + c.config.Metadata.Name, crioann.OCISeccompBPFHookAnnotation, v, + ) + c.config.Annotations[crioann.OCISeccompBPFHookAnnotation] = v + c.spec.AddAnnotation(crioann.OCISeccompBPFHookAnnotation, v) + } else { + c.spec.AddAnnotation(k, v) } } diff --git a/test/ctr.bats b/test/ctr.bats index 7eb4462e7ad..0f57e0bebf8 100644 --- a/test/ctr.bats +++ b/test/ctr.bats @@ -27,6 +27,17 @@ function wait_until_exit() { return 1 } +function check_oci_annotation() { + # check for OCI annotation in container's config.json + local ctr_id="$1" + local key="$2" + local value="$3" + + config=$(runtime state "$ctr_id" | jq -r .bundle)/config.json + + [ "$(jq -r .annotations.\""$key"\" < "$config")" = "$value" ] +} + @test "ctr not found correct error message" { start_crio ! crictl inspect "container_not_exist" @@ -886,6 +897,10 @@ function wait_until_exit() { pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json) crictl inspectp "$pod_id" | grep '"owner": "hmeng"' crictl inspectp "$pod_id" | grep '"security.alpha.kubernetes.io/seccomp/pod": "unconfined"' + + # sandbox annotations passed through to container OCI config + ctr_id=$(crictl create "$pod_id" "$TESTDATA"/container_config.json "$TESTDATA"/sandbox_config.json) + check_oci_annotation "$ctr_id" "com.example.test" "sandbox annotation" } @test "ctr with default_env set in configuration" { diff --git a/test/testdata/sandbox_config.json b/test/testdata/sandbox_config.json index d1bd60123de..5507f2352f7 100644 --- a/test/testdata/sandbox_config.json +++ b/test/testdata/sandbox_config.json @@ -28,7 +28,8 @@ }, "annotations": { "owner": "hmeng", - "security.alpha.kubernetes.io/seccomp/pod": "unconfined" + "security.alpha.kubernetes.io/seccomp/pod": "unconfined", + "com.example.test": "sandbox annotation" }, "linux": { "cgroup_parent": "pod_123-456.slice",