Closed ianlewis closed 5 years ago
Annotations aren't part of the PodSandboxMetadata but rather part of the PodSandboxConfig object. crictl's parsing logic seems to ignore extraneous fields so it silently fails to create pods using the untrusted workload runtime.
See: https://github.com/kubernetes-sigs/cri-tools/blob/v1.13.0/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2/api.pb.go#L775
Related: #4
Annotations aren't part of the PodSandboxMetadata but rather part of the PodSandboxConfig object. crictl's parsing logic seems to ignore extraneous fields so it silently fails to create pods using the untrusted workload runtime.
See: https://github.com/kubernetes-sigs/cri-tools/blob/v1.13.0/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2/api.pb.go#L775
Related: #4