crio: filter out systemd related components

Do not allow registration of systemd related services.
google · Oct 12, 2021 · 1a1eae0 · 1a1eae0
1 parent 167d846
commit 1a1eae0
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/container/crio/factory.go b/container/crio/factory.go
@@ -32,6 +32,9 @@ import (
 // The namespace under which crio aliases are unique.
 const CrioNamespace = "crio"
 
+// The namespace systemd runs components under.
+const SystemdNamespace = "system-systemd"
+
 // Regexp that identifies CRI-O cgroups
 var crioCgroupRegexp = regexp.MustCompile(`([a-z0-9]{64})`)
 
@@ -114,6 +117,9 @@ func (f *crioFactory) CanHandleAndAccept(name string) (bool, bool, error) {
 	if !strings.HasPrefix(path.Base(name), CrioNamespace) {
 		return false, false, nil
 	}
+	if strings.HasPrefix(path.Base(name), SystemdNamespace) {
+		return true, false, nil
+	}
 	// if the container is not associated with CRI-O, we can't handle it or accept it.
 	if !isContainerName(name) {
 		return false, false, nil