cri-o · openshift-merge-bot · Dec 18, 2024 · Dec 9, 2024
@@ -167,6 +167,7 @@ kata_skip_pod_tests:
   - 'test "run container with container_min_memory 17.5MiB"'
   - 'test "run container with container_min_memory 5.5MiB"'
   - 'test "run container with empty container_min_memory"'
+  - 'test "run container with default annotations"'
 kata_skip_seccomp_oci_artifacts_tests:
   - 'test "seccomp OCI artifact with pod annotation"'
   - 'test "seccomp OCI artifact with container annotation"'

@@ -378,6 +378,9 @@ A mapping of platforms to the corresponding runtime executable paths for the run
 If set to true, the runtime will not sync the log file on rotate or container exit. This option is only valid for the 'oci'
 runtime type. Setting this option to true can cause data loss, e.g. when a machine crash happens.
 
+**default_annotations**={}
+A mapping of keys to values of annotations set on containers run by this runtime handler, if not overridden by the pod spec.
+
 ### CRIO.RUNTIME.WORKLOADS TABLE
 
 The "crio.runtime.workloads" table defines a list of workloads - a way to customize the behavior of a pod and container.

@@ -227,6 +227,16 @@ func (r *Runtime) RuntimeSupportsRROMounts(runtimeHandler string) bool {
 	return rh.RuntimeSupportsRROMounts()
 }
 
+// RuntimeDefaultAnnotations returns the default annotations for this runtime handler.
+func (r *Runtime) RuntimeDefaultAnnotations(runtimeHandler string) (map[string]string, error) {
+	rh, err := r.getRuntimeHandler(runtimeHandler)
+	if err != nil {
+		return nil, err
+	}
+
+	return rh.RuntimeDefaultAnnotations(), nil
+}
+
 func (r *Runtime) newRuntimeImpl(c *Container) (RuntimeImpl, error) {
 	rh, err := r.getRuntimeHandler(c.runtimeHandler)
 	if err != nil {

@@ -268,6 +268,10 @@ type RuntimeHandler struct {
 	// Inheritance request
 	// Fill in the Runtime information (paths and type) from the default runtime
 	InheritDefaultRuntime bool `toml:"inherit_default_runtime,omitempty"`
+
+	// Default annotations specified for runtime handler if they're not overridden by
+	// the pod spec.
+	DefaultAnnotations map[string]string `toml:"default_annotations,omitempty"`
 }
 
 // Multiple runtime Handlers in a map.
@@ -1776,6 +1780,11 @@ func (r *RuntimeHandler) RuntimeSupportsMountFlag(flag string) bool {
 	return slices.Contains(r.features.MountOptions, flag)
 }
 
+// RuntimeDefaultAnnotations returns the default annotations for this handler.
+func (r *RuntimeHandler) RuntimeDefaultAnnotations() map[string]string {
+	return r.DefaultAnnotations
+}
+
 func validateAllowedAndGenerateDisallowedAnnotations(allowed []string) (disallowed []string, _ error) {
 	disallowedMap := make(map[string]bool)
 	for _, ann := range annotations.AllAllowedAnnotations {

@@ -1245,6 +1245,7 @@ const templateStringCrioRuntimeRuntimesRuntimeHandler = `# The "crio.runtime.run
 # allowed_annotations = []
 # platform_runtime_paths = { "os/arch" = "/path/to/binary" }
 # no_sync_log = false
+# default_annotations = {}
 # Where:
 # - runtime-handler: Name used to identify the runtime.
 # - runtime_path (optional, string): Absolute path to the runtime executable in
@@ -1297,6 +1298,7 @@ const templateStringCrioRuntimeRuntimesRuntimeHandler = `# The "crio.runtime.run
 # - no_sync_log (optional, bool): If set to true, the runtime will not sync the log file on rotate or container exit.
 #   This option is only valid for the 'oci' runtime type. Setting this option to true can cause data loss, e.g.
 #   when a machine crash happens.
+# - default_annotations (optional, map): Default annotations if not overridden by the pod spec.
 #
 # Using the seccomp notifier feature:
 #
@@ -1345,6 +1347,10 @@ const templateStringCrioRuntimeRuntimesRuntimeHandler = `# The "crio.runtime.run
 {{- $first := true }}{{- range $key, $value := $runtime_handler.PlatformRuntimePaths }}
 {{- if not $first }},{{ end }}{{- printf "%q = %q" $key $value }}{{- $first = false }}{{- end }}}
 {{ end }}
+{{ if $runtime_handler.DefaultAnnotations }}default_annotations = {
+{{- $first := true }}{{- range $key, $value := $runtime_handler.DefaultAnnotations }}
+{{- if not $first }},{{ end }}{{- printf "%q = %q" $key $value }}{{- $first = false }}{{- end }}}
+{{ end }}
 {{ end }}
 `
 

@@ -427,7 +427,21 @@ func (s *Server) runPodSandbox(ctx context.Context, req *types.RunPodSandboxRequ
 		return nil, err
 	}
 
-	kubeAnnotations := sbox.Config().Annotations
+	kubeAnnotations, err := s.Runtime().RuntimeDefaultAnnotations(runtimeHandler)
+	if err != nil {
+		return nil, err
+	}
+	if kubeAnnotations == nil {
+		kubeAnnotations = map[string]string{}
+	}
+
+	// override default annotations with pod spec specified ones
+	for k, v := range sbox.Config().Annotations {
+		if _, ok := kubeAnnotations[k]; ok {
+			log.Debugf(ctx, "Overriding default pod annotation %s for pod %s", k, sbox.ID())
+		}
+		kubeAnnotations[k] = v
+	}
 
 	usernsMode := kubeAnnotations[annotations.UsernsModeAnnotation]
 	if usernsMode != "" {

@@ -523,3 +523,25 @@ EOF
 
 	crictl run "$TESTDIR"/memory.json "$TESTDATA"/sandbox_config.json
 }
+
+@test "run container with default annotations" {
+	setup_crio
+
+	cat << EOF > "$CRIO_CONFIG_DIR/99-ann.conf"
+[crio.runtime]
+default_runtime = "ann"
+[crio.runtime.runtimes.ann]
+runtime_path = "$RUNTIME_BINARY_PATH"
+default_annotations = { "hello" = "1234", "pod" = "5678" }
+EOF
+	unset CONTAINER_DEFAULT_RUNTIME
+	unset CONTAINER_RUNTIMES
+
+	start_crio_no_setup
+
+	ctr_id=$(crictl run "$TESTDATA"/container_sleep.json "$TESTDATA"/sandbox_config.json)
+	annotations=$(crictl inspect "$ctr_id" | jq .info.runtimeSpec.annotations)
+	grep hello <<< "$annotations"
+	# pod spec should override default annotations
+	grep -v "5678" <<< "$annotations"
+}