Skip to content

Commit b74bd2b

Browse files
umohnani8umohnani8
committed
Add option to disable fips mode in pod
If the FIPS_DISABLE=true is set, then the fips secret is not mounted in the pod. Signed-off-by: Urvashi Mohnani <[email protected]>
1 parent e382065 commit b74bd2b

File tree

1 file changed

+6
-1
lines changed

1 file changed

+6
-1
lines changed

server/container_create_linux.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -820,8 +820,13 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID, contai
820820
return nil, fmt.Errorf("failed to mount secrets: %v", err)
821821
}
822822
}
823+
// Check for FIPS_DISABLE label in the pod config
824+
disableFips := false
825+
if value, ok := sandboxConfig.GetLabels()["FIPS_DISABLE"]; ok && value == "true" {
826+
disableFips = true
827+
}
823828
// Add secrets from the default and override mounts.conf files
824-
secretMounts = append(secretMounts, secrets.SecretMounts(mountLabel, containerInfo.RunDir, s.config.DefaultMountsFile, rootless.IsRootless())...)
829+
secretMounts = append(secretMounts, secrets.SecretMounts(mountLabel, containerInfo.RunDir, s.config.DefaultMountsFile, rootless.IsRootless(), disableFips)...)
825830

826831
mounts := []rspec.Mount{}
827832
mounts = append(mounts, ociMounts...)

0 commit comments

Comments
 (0)