google / gvisor-containerd-shim

containerd shim for gVisor
https://gvisor.dev
Apache License 2.0
80 stars 28 forks source link

Fix sandbox.json instructions for containerd 1.1 #6

Closed ianlewis closed 5 years ago

ianlewis commented 5 years ago

Annotations aren't part of the PodSandboxMetadata but rather part of the PodSandboxConfig object. crictl's parsing logic seems to ignore extraneous fields so it silently fails to create pods using the untrusted workload runtime.

See: https://github.com/kubernetes-sigs/cri-tools/blob/v1.13.0/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2/api.pb.go#L775

Related: #4