BuildLabels builds the labels from config to be passed to containerd. Image config labels in the namespaces reserved for containerd (containerd.io/) and the CRI plugin (io.cri-containerd) are not copied to the container.
(configLabels, imageConfigLabels map[string]string, containerType string)
| 87 | // (containerd.io/) and the CRI plugin (io.cri-containerd) are not copied |
| 88 | // to the container. |
| 89 | func BuildLabels(configLabels, imageConfigLabels map[string]string, containerType string) map[string]string { |
| 90 | labels := make(map[string]string) |
| 91 | |
| 92 | for k, v := range imageConfigLabels { |
| 93 | // Labels in the containerd.io/* namespace are interpreted by containerd |
| 94 | // itself, and labels in the io.cri-containerd.* namespace are interpreted |
| 95 | // by the CRI plugin, so they are not copied from untrusted image configs. |
| 96 | if clabels.IsReserved(k) { |
| 97 | log.L.Warnf("skipping image label %q: the label namespace is reserved for containerd; possible malicious image attempting to alter containerd behavior", k) |
| 98 | continue |
| 99 | } |
| 100 | if err := clabels.Validate(k, v); err == nil { |
| 101 | labels[k] = v |
| 102 | } else { |
| 103 | // In case the image label is invalid, we output a warning and skip adding it to the |
| 104 | // container. |
| 105 | log.L.WithError(err).Warnf("unable to add image label with key %s to the container", k) |
| 106 | } |
| 107 | } |
| 108 | // labels from the CRI request (config) will override labels in the image config |
| 109 | maps.Copy(labels, configLabels) |
| 110 | labels[crilabels.ContainerKindLabel] = containerType |
| 111 | return labels |
| 112 | } |
| 113 | |
| 114 | // GenerateUserString generates valid user string based on OCI Image Spec |
| 115 | // v1.0.0. |
searching dependent graphs…