From 47927bbad7fe86b414b24b06cef335693b1f0789 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Mon, 18 Oct 2021 18:22:25 -0400 Subject: [PATCH] crio: add openshift builder workload this workload will be allowed to mount devices (like /dev/fuse) and configure user namespaces to allow for unprivileged builds Signed-off-by: Peter Hunt --- .../01-master-container-runtime/_base/files/crio.yaml | 7 +++++++ .../01-worker-container-runtime/_base/files/crio.yaml | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/templates/master/01-master-container-runtime/_base/files/crio.yaml b/templates/master/01-master-container-runtime/_base/files/crio.yaml index f6141b21e5..e359d542cf 100644 --- a/templates/master/01-master-container-runtime/_base/files/crio.yaml +++ b/templates/master/01-master-container-runtime/_base/files/crio.yaml @@ -37,6 +37,13 @@ contents: ] drop_infra_ctr = true + [crio.runtime.workloads.openshift-builder] + activation_annotation = "io.openshift.builder" + allowed_annotations = [ + "io.kubernetes.cri-o.userns-mode", + "io.kubernetes.cri-o.Devices" + ] + [crio.image] global_auth_file = "/var/lib/kubelet/config.json" pause_image = "{{.Images.infraImageKey}}" diff --git a/templates/worker/01-worker-container-runtime/_base/files/crio.yaml b/templates/worker/01-worker-container-runtime/_base/files/crio.yaml index f6141b21e5..e359d542cf 100644 --- a/templates/worker/01-worker-container-runtime/_base/files/crio.yaml +++ b/templates/worker/01-worker-container-runtime/_base/files/crio.yaml @@ -37,6 +37,13 @@ contents: ] drop_infra_ctr = true + [crio.runtime.workloads.openshift-builder] + activation_annotation = "io.openshift.builder" + allowed_annotations = [ + "io.kubernetes.cri-o.userns-mode", + "io.kubernetes.cri-o.Devices" + ] + [crio.image] global_auth_file = "/var/lib/kubelet/config.json" pause_image = "{{.Images.infraImageKey}}"