github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-05 10:50:18 +00:00
Code Issues Projects Releases Wiki Activity

runtime: Update crio annotations

Browse Source 
We've been using the
github.com/containers/podman/v4/pkg/annotations module
to get cri-o annotations, which has some major CVEs in, but
in v5 most of the annotations were moved into crio (from 1.30)
(see https://github.com/cri-o/cri-o/pull/7867). Let's switch
to use the cri-o annotations module instead and remediate
CVE-2024-3056.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman
2025-02-05 11:05:29 +00:00
parent 4f97e5fed3
commit 3740ce6e7b
6 changed files with 131 additions and 210 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/runtime/virtcontainers/kata_agent.go
View File

@@ -37,7 +37,7 @@ import (
"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/utils"
ctrAnnotations "github.com/containerd/containerd/pkg/cri/annotations"
podmanAnnotations "github.com/containers/podman/v4/pkg/annotations"
crioAnnotations "github.com/cri-o/cri-o/pkg/annotations"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
"github.com/sirupsen/logrus"
@@ -1682,7 +1682,7 @@ func getContainerTypeforCRI(c *Container) (string, string) {
// CRIContainerTypeKeyList lists all the CRI keys that could define
// the container type from annotations in the config.json.
CRIContainerTypeKeyList := []string{ctrAnnotations.ContainerType, podmanAnnotations.ContainerType}
CRIContainerTypeKeyList := []string{ctrAnnotations.ContainerType, crioAnnotations.ContainerType}
containerType := c.config.Annotations[vcAnnotations.ContainerTypeKey]
for _, key := range CRIContainerTypeKeyList {
_, ok := c.config.CustomSpec.Annotations[key]
@@ -1707,7 +1707,7 @@ func handleImageGuestPullBlockVolume(c *Container, virtualVolumeInfo *types.Kata
switch criContainerType {
case ctrAnnotations.ContainerType:
image_ref = container_annotations[kubernetesCRIImageName]
case podmanAnnotations.ContainerType:
case crioAnnotations.ContainerType:
image_ref = container_annotations[kubernetesCRIOImageName]
default:
// There are cases, like when using nerdctl, where the criContainerType

2
src/runtime/virtcontainers/sandbox.go
View File

@@ -29,7 +29,7 @@ import (
"github.com/vishvananda/netlink"
cri "github.com/containerd/containerd/pkg/cri/annotations"
crio "github.com/containers/podman/v4/pkg/annotations"
crio "github.com/cri-o/cri-o/pkg/annotations"
"github.com/kata-containers/kata-containers/src/runtime/pkg/device/api"
"github.com/kata-containers/kata-containers/src/runtime/pkg/device/config"
"github.com/kata-containers/kata-containers/src/runtime/pkg/device/drivers"