Describe device_ownership_from_security_context=true for Containerd v2 (

#3452) Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
kubevirt · Oct 7, 2024 · 7b330eb · 7b330eb
1 parent 0838360
commit 7b330eb
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/doc/block_cri_ownership_config.md b/doc/block_cri_ownership_config.md
@@ -8,17 +8,23 @@ This makes it problematic for our workloads to populate block devices, and has m
 As explained in the source below, a solution that is seamless to end-users was chosen by the k8s community, without getting the device plugin vendors involved.  
 The selected approach was to re-use `runAsUser` and `runAsGroup` for devices, with an opt-in config entry for the CRI (`device_ownership_from_security_context`) that ensures no existing deployment breaks.  
 To use CDI, it is advised to opt-in.  
-For containerd:
+For Containerd v1:
 ```toml
 [plugins]
   [plugins."io.containerd.grpc.v1.cri"]
     device_ownership_from_security_context = true
 ```
+For Containerd v2:
+```toml
+[plugins]
+  [plugins."io.containerd.cri.v1.runtime"]
+    device_ownership_from_security_context = true
+```
 CRI-O:
 ```toml
 [crio.runtime]
 device_ownership_from_security_context = true
 ```
 
 ## Source
-https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/
+https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/