diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go index 5d1a9e112e5..53dfafb40e2 100644 --- a/pkg/annotations/annotations.go +++ b/pkg/annotations/annotations.go @@ -60,4 +60,17 @@ var AllAllowedAnnotations = []string{ TrySkipVolumeSELinuxLabelAnnotation, CPUCStatesAnnotation, CPUFreqGovernorAnnotation, + // Keep in sync with + // https://github.com/opencontainers/runc/blob/3db0871f1cf25c7025861ba0d51d25794cb21623/features.go#L67 + // Once runc 1.2 is released, we can use the `runc features` command to get this programmatically, + // but we should hardcode these for now to prevent misuse. + "bundle", + "org.systemd.property.", + "org.criu.config", + + // Simiarly, keep in sync with + // https://github.com/containers/crun/blob/475a3fd0be/src/libcrun/container.c#L362-L366 + "module.wasm.image/variant", + "io.kubernetes.cri.container-type", + "run.oci.", } diff --git a/test/workloads.bats b/test/workloads.bats index 969c6881e7f..8424f905878 100644 --- a/test/workloads.bats +++ b/test/workloads.bats @@ -380,3 +380,43 @@ function check_conmon_fields() { echo "Zombies: $zombies" [[ $zombies == 0 ]] } + +@test "test special runtime annotations not allowed" { + if [[ "$TEST_USERNS" == "1" ]]; then + skip "test fails in a user namespace" + fi + if [[ "$CONTAINER_CGROUP_MANAGER" == "cgroupfs" ]]; then + skip "need systemd cgroup manager" + fi + start_crio + + jq --arg val "'inactive'" ' .annotations["org.systemd.property.CollectMode"] = $val' \ + "$TESTDATA"/sandbox_config.json > "$sboxconfig" + + jq --arg val "'inactive'" ' .annotations["org.systemd.property.CollectMode"] = $val' \ + "$TESTDATA"/container_sleep.json > "$ctrconfig" + + ctr_id=$(crictl run "$ctrconfig" "$sboxconfig") + [[ $(systemctl show --property CollectMode crio-"$ctr_id".scope) != "CollectMode=inactive" ]] +} + +@test "test special runtime annotations allowed" { + if [[ "$TEST_USERNS" == "1" ]]; then + skip "test fails in a user namespace" + fi + if [[ "$CONTAINER_CGROUP_MANAGER" == "cgroupfs" ]]; then + skip "need systemd cgroup manager" + fi + create_workload_with_allowed_annotation "org.systemd.property." "org.systemd.property.CollectMode" + + start_crio + + jq --arg val "'inactive'" ' .annotations["org.systemd.property.CollectMode"] = $val' \ + "$TESTDATA"/sandbox_config.json > "$sboxconfig" + + jq --arg val "'inactive'" ' .annotations["org.systemd.property.CollectMode"] = $val' \ + "$TESTDATA"/container_sleep.json > "$ctrconfig" + + ctr_id=$(crictl run "$ctrconfig" "$sboxconfig") + [[ $(systemctl show --property CollectMode crio-"$ctr_id".scope) == "CollectMode=inactive" ]] +}