Merge pull request #8687 from sharifelgamal/apparmor

restrict apparmor security opt to docker

Merge pull request #8687 from sharifelgamal/apparmor
restrict apparmor security opt to docker
4d756f2d · Medya Ghazizadeh · GitHub · b12dbeb8 · d0d3973a · 4d756f2d
显示空白变更内容
内联并排

Showing with 2 addition and 2 deletion

pkg/drivers/kic/oci/oci.go pkg/drivers/kic/oci/oci.go +2 -2

未找到文件。
--- a/pkg/drivers/kic/oci/oci.go
+++ b/pkg/drivers/kic/oci/oci.go
@@ -126,8 +126,6 @@ func CreateContainerNode(p CreateParams) error {
 		// for now this is what we want. in the future we may revisit this.
 		"--privileged",
 		"--security-opt", "seccomp=unconfined", //  ignore seccomp
-		// ignore apparmore github actions docker: https://github.com/kubernetes/minikube/issues/7624
-		"--security-opt", "apparmor=unconfined",
 		"--tmpfs", "/tmp", // various things depend on working /tmp
 		"--tmpfs", "/run", // systemd wants a writable /run
 		// logs,pods be stroed on  filesystem vs inside container,
@@ -150,6 +148,8 @@ func CreateContainerNode(p CreateParams) error {
 	}
 	if p.OCIBinary == Docker {
 		runArgs = append(runArgs, "--volume", fmt.Sprintf("%s:/var", p.Name))
+		// ignore apparmore github actions docker: https://github.com/kubernetes/minikube/issues/7624
+		runArgs = append(runArgs, "--security-opt", "apparmor=unconfined")
 	}

 	runArgs = append(runArgs, fmt.Sprintf("--cpus=%s", p.CPUs))