diff options
-rw-r--r-- | runsc/sandbox/network.go | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/runsc/sandbox/network.go b/runsc/sandbox/network.go index 1b6a1d9a6..d0ff64067 100644 --- a/runsc/sandbox/network.go +++ b/runsc/sandbox/network.go @@ -31,6 +31,13 @@ import ( "gvisor.googlesource.com/gvisor/runsc/boot" ) +const ( + // Annotations used to indicate whether the container corresponds to a + // pod or a container within a pod. + crioContainerTypeAnnotation = "io.kubernetes.cri-o.ContainerType" + containerdContainerTypeAnnotation = "io.kubernetes.cri.container-type" +) + // setupNetwork configures the network stack to mimic the local network // configuration. Docker uses network namespaces with vnets to configure the // network for the container. The untrusted app expects to see the same network @@ -68,17 +75,10 @@ func setupNetwork(conn *urpc.Client, pid int, spec *specs.Spec, conf *boot.Confi // For now the following HACK disables networking for the "pause" // sandbox, allowing the second sandbox to start up successfully. // - // Cri-o helpfully adds the "ContainerType" annotation that we can use - // to detect whether we are a pod or container. Cri-containerd will - // support this eventually, but does not currently - // (https://github.com/kubernetes-incubator/cri-containerd/issues/512). - // - // Thus, to support cri-containerd, we check if the exec args is - // "/pause", which is pretty gross. - // // TODO: Remove this once multiple containers per sandbox // is properly supported. - if spec.Annotations["io.kubernetes.cri-o.ContainerType"] == "sandbox" || spec.Process.Args[0] == "/pause" { + if spec.Annotations[crioContainerTypeAnnotation] == "sandbox" || + spec.Annotations[containerdContainerTypeAnnotation] == "sandbox" { log.Warningf("HACK: Disabling network") conf.Network = boot.NetworkNone } |