Plugin configuration level privileged mode.

Author: shishir-a412ed

containerd/containerd.go

@@ -95,6 +95,10 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC
 
 	opts = append(opts, oci.WithImageConfigArgs(containerConfig.Image, args))
 
+	if !d.config.AllowPrivileged && config.Privileged {
+		return nil, fmt.Errorf("Running privileged jobs are not allowed. Set allow_privileged to true in plugin config to allow running privileged jobs.")
+	}
+
 	// Enable privileged mode.
 	if config.Privileged {
 		opts = append(opts, oci.WithPrivileged)

containerd/driver.go

@@ -79,6 +79,10 @@ var (
 		),
 		"containerd_runtime": hclspec.NewAttr("containerd_runtime", "string", true),
 		"stats_interval":     hclspec.NewAttr("stats_interval", "string", false),
+		"allow_privileged": hclspec.NewDefault(
+			hclspec.NewAttr("allow_privileged", "bool", false),
+			hclspec.NewLiteral("true"),
+		),
 	})
 
 	// taskConfigSpec is the specification of the plugin's configuration for
@@ -130,6 +134,7 @@ type Config struct {
 	Enabled           bool   `codec:"enabled"`
 	ContainerdRuntime string `codec:"containerd_runtime"`
 	StatsInterval     string `codec:"stats_interval"`
+	AllowPrivileged   bool   `codec:"allow_privileged"`
 }
 
 // Volume, bind, and tmpfs type mounts are supported.