cri-o · openshift-merge-robot · Jul 26, 2021 · Jul 15, 2021 · Jul 20, 2021
diff --git a/pkg/container/container.go b/pkg/container/container.go
@@ -157,7 +157,7 @@ func (c *container) SpecAddAnnotations(ctx context.Context, sb *sandbox.Sandbox,
 	// The sandbox annotations are already filtered for the allowed
 	// annotations, there is no need to check it additionally here.
 	for k, v := range sb.Annotations() {
-		if strings.HasPrefix(k, crioann.OCISeccompBPFHookAnnotation) {
+		if k == crioann.OCISeccompBPFHookAnnotation+"/"+c.config.Metadata.Name {
 			// The OCI seccomp BPF hook
 			// (https://github.com/containers/oci-seccomp-bpf-hook)
 			// uses the annotation io.containers.trace-syscall as indicator
@@ -171,17 +171,14 @@ func (c *container) SpecAddAnnotations(ctx context.Context, sb *sandbox.Sandbox,
 			// 'io.containers.trace-syscall' if the metadata name is equal
 			// to 'container'. This allows us to trace containers into
 			// distinguishable files.
-			if strings.TrimPrefix(k, crioann.OCISeccompBPFHookAnnotation+"/") == c.config.Metadata.Name {
-				log.Debugf(ctx,
-					"Annotation key for container %q rewritten to %q (value is: %q)",
-					c.config.Metadata.Name, crioann.OCISeccompBPFHookAnnotation, v,
-				)
-				c.config.Annotations[crioann.OCISeccompBPFHookAnnotation] = v
-				c.spec.AddAnnotation(crioann.OCISeccompBPFHookAnnotation, v)
-			} else {
-				// Annotation not suffixed with the container name
-				c.spec.AddAnnotation(k, v)
-			}
+			log.Debugf(ctx,
+				"Annotation key for container %q rewritten to %q (value is: %q)",
+				c.config.Metadata.Name, crioann.OCISeccompBPFHookAnnotation, v,
+			)
+			c.config.Annotations[crioann.OCISeccompBPFHookAnnotation] = v
+			c.spec.AddAnnotation(crioann.OCISeccompBPFHookAnnotation, v)
+		} else {
+			c.spec.AddAnnotation(k, v)
 		}
 	}
 

diff --git a/test/ctr.bats b/test/ctr.bats
@@ -27,6 +27,17 @@ function wait_until_exit() {
 	return 1
 }
 
+function check_oci_annotation() {
+	# check for OCI annotation in container's config.json
+	local ctr_id="$1"
+	local key="$2"
+	local value="$3"
+
+	config=$(runtime state "$ctr_id" | jq -r .bundle)/config.json
+
+	[ "$(jq -r .annotations.\""$key"\" < "$config")" = "$value" ]
+}
+
 @test "ctr not found correct error message" {
 	start_crio
 	! crictl inspect "container_not_exist"
@@ -886,6 +897,10 @@ function wait_until_exit() {
 	pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)
 	crictl inspectp "$pod_id" | grep '"owner": "hmeng"'
 	crictl inspectp "$pod_id" | grep '"security.alpha.kubernetes.io/seccomp/pod": "unconfined"'
+
+	# sandbox annotations passed through to container OCI config
+	ctr_id=$(crictl create "$pod_id" "$TESTDATA"/container_config.json "$TESTDATA"/sandbox_config.json)
+	check_oci_annotation "$ctr_id" "com.example.test" "sandbox annotation"
 }
 
 @test "ctr with default_env set in configuration" {

diff --git a/test/testdata/sandbox_config.json b/test/testdata/sandbox_config.json
@@ -28,7 +28,8 @@
 	},
 	"annotations": {
 		"owner": "hmeng",
-		"security.alpha.kubernetes.io/seccomp/pod": "unconfined"
+		"security.alpha.kubernetes.io/seccomp/pod": "unconfined",
+		"com.example.test": "sandbox annotation"
 	},
 	"linux": {
 		"cgroup_parent": "pod_123-456.slice",