From 3a7894df044c149113c97edd273e57703c32534b Mon Sep 17 00:00:00 2001
From: Ian Lewis <ianlewis@google.com>
Date: Fri, 14 Dec 2018 13:21:21 +0000
Subject: Fix sandbox.json instructions for containerd 1.1

Annotations aren't part of the PodSandboxMetadata but rather part of the
PodSandboxConfig object. crictl's parsing logic seems to ignore
extraneous fields so it silently fails to create pods using the
untrusted workload runtime.

See: https://github.com/kubernetes-sigs/cri-tools/blob/v1.13.0/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2/api.pb.go#L775
---
 README.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index ca8188eb4..d3b10fe07 100644
--- a/README.md
+++ b/README.md
@@ -78,10 +78,10 @@ $ cat > sandbox.json << EOL
         "name": "nginx-sandbox",
         "namespace": "default",
         "attempt": 1,
-        "uid": "hdishd83djaidwnduwk28bcsb",
-        "annotations": {
-          "io.kubernetes.cri.untrusted-workload": "true"
-        }
+        "uid": "hdishd83djaidwnduwk28bcsb"
+    },
+    "annotations": {
+      "io.kubernetes.cri.untrusted-workload": "true"
     },
     "linux": {
     },
-- 
cgit v1.2.3