Plugin configuration level privileged mode.

2021-03-04 09:46:27 -08:00 · 2021-03-04 09:46:27 -08:00 · 6a7fa68c0f
commit 6a7fa68c0f
parent a308178b1c
2 changed files with 9 additions and 0 deletions
--- a/containerd/containerd.go
+++ b/containerd/containerd.go
@ -95,6 +95,10 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC

 	opts = append(opts, oci.WithImageConfigArgs(containerConfig.Image, args))

+	if !d.config.AllowPrivileged && config.Privileged {
+		return nil, fmt.Errorf("Running privileged jobs are not allowed. Set allow_privileged to true in plugin config to allow running privileged jobs.")
+	}
+
 	// Enable privileged mode.
 	if config.Privileged {
 		opts = append(opts, oci.WithPrivileged)
--- a/containerd/driver.go
+++ b/containerd/driver.go
@ -79,6 +79,10 @@ var (
 		),
 		"containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", true),
 		"stats_interval":     hclspec.NewAttr("stats_interval", "string", false),
+		"allow_privileged": hclspec.NewDefault(
+			hclspec.NewAttr("allow_privileged", "bool", false),
+			hclspec.NewLiteral("true"),
+		),
 	})

 	// taskConfigSpec is the specification of the plugin's configuration for
@ -130,6 +134,7 @@ type Config struct {
 	Enabled           bool   `codec:"enabled"`
 	ContainerdRuntime string `codec:"containerd_runtime"`
 	StatsInterval     string `codec:"stats_interval"`
+	AllowPrivileged   bool   `codec:"allow_privileged"`
 }

 // Volume, bind, and tmpfs type mounts are supported.