+
Skip to content

crio config doesn't print workload's allowed_annotations #9467

New issue
New issue
Open
#9468
Open
crio config doesn't print workload's allowed_annotations#9467
#9468
Assignees
prasad89
Labels
good first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.kind/bugCategorizes issue or PR as related to a bug.lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.
@bitoku

Description

@bitoku
bitoku
opened on Sep 16, 2025

What happened?

Even if it has allowed_annotations in crio.conf, it doesn't print it.

❯ cat /etc/crio/crio.conf
[crio]

# Path to the "root directory". CRI-O stores all of its data, including
# containers images, in this directory.
root = "/foo/bar"

[crio.runtime.workloads.openshift-builder]
activation_annotation = "io.openshift.builder"
allowed_annotations = [
"io.kubernetes.cri-o.userns-mode",
"io.kubernetes.cri-o.umask",
"io.kubernetes.cri-o.Devices"
]

❯ bin/crio config | grep allowed_annotations -A3
INFO[2025-09-16T10:09:29.238892956Z] Updating config from single file: /etc/crio/crio.conf
INFO[2025-09-16T10:09:29.23892279Z] Updating config from drop-in file: /etc/crio/crio.conf
INFO[2025-09-16T10:09:29.239149659Z] Updating config from path: /etc/crio/crio.conf.d
INFO Using default capabilities: CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FSETID, CAP_FOWNER, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_KILL
# allowed_annotations = []
# platform_runtime_paths = { "os/arch" = "/path/to/binary" }
# no_sync_log = false
# default_annotations = {}
--
# - allowed_annotations (optional, array of strings): an option for specifying
#   a list of experimental annotations that this runtime handler is allowed to process.
#   The currently recognized values are:
#   "io.kubernetes.cri-o.userns-mode" for configuring a user namespace for the pod.
--
# "io.kubernetes.cri-o.seccompNotifierAction" in the allowed_annotations array.
#
# It also requires at least runc 1.1.0 or crun 0.19 which support the notifier
# feature.
--
# allowed_annotations = [
# 	"io.containers.trace-syscall",
# 	"io.kubernetes.cri-o.Devices",
# ]

❯ bin/crio config | grep root
INFO[2025-09-16T10:09:53.616707819Z] Updating config from single file: /etc/crio/crio.conf
INFO[2025-09-16T10:09:53.616737488Z] Updating config from drop-in file: /etc/crio/crio.conf
INFO[2025-09-16T10:09:53.61691715Z] Updating config from path: /etc/crio/crio.conf.d
INFO Using default capabilities: CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FSETID, CAP_FOWNER, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_KILL
# Path to the "root directory". CRI-O stores all of its data, including
root = "/foo/bar"
# runroot = "/run/user/1004/containers"
# If true, the runtime will not use pivot_root, but instead use MS_MOVE.
# If capabilities are expected to work for non-root users, this option should be set.
# runtime_root = "/path/to/the/root"
# - runtime_root (optional, string): Root directory for storage of containers
#   runtime_type, runtime_root and runtime_config_path will be replaced by
# runtime_root = "/run/crun"

What did you expect to happen?

I expect to have allowed_annotations in return value.

How can we reproduce it (as minimally and precisely as possible)?

See above.

Anything else we need to know?

We may need to fix this.

cri-o/pkg/config/template.go

Lines 1378 to 1417 in a8b550a

const templateStringCrioRuntimeWorkloads = `# The workloads table defines ways to customize containers with different resources
# that work based on annotations, rather than the CRI.
# Note, the behavior of this table is EXPERIMENTAL and may change at any time.
# Each workload, has a name, activation_annotation, annotation_prefix and set of resources it supports mutating.
# The currently supported resources are "cpuperiod" "cpuquota", "cpushares", "cpulimit" and "cpuset". The values for "cpuperiod" and "cpuquota" are denoted in microseconds.
# The value for "cpulimit" is denoted in millicores, this value is used to calculate the "cpuquota" with the supplied "cpuperiod" or the default "cpuperiod".
# Note that the "cpulimit" field overrides the "cpuquota" value supplied in this configuration.
# Each resource can have a default value specified, or be empty.
# For a container to opt-into this workload, the pod should be configured with the annotation $activation_annotation (key only, value is ignored).
# To customize per-container, an annotation of the form $annotation_prefix.$resource/$ctrName = "value" can be specified
# signifying for that resource type to override the default value.
# If the annotation_prefix is not present, every container in the pod will be given the default values.
# Example:
# [crio.runtime.workloads.workload-type]
# activation_annotation = "io.crio/workload"
# annotation_prefix = "io.crio.workload-type"
# [crio.runtime.workloads.workload-type.resources]
# cpuset = "0-1"
# cpushares = "5"
# cpuquota = "1000"
# cpuperiod = "100000"
# cpulimit = "35"
# Where:
# The workload name is workload-type.
# To specify, the pod must have the "io.crio.workload" annotation (this is a precise string match).
# This workload supports setting cpuset and cpu resources.
# annotation_prefix is used to customize the different resources.
# To configure the cpu shares a container gets in the example above, the pod would have to have the following annotation:
# "io.crio.workload-type/$container_name = {"cpushares": "value"}"
{{ range $workload_type, $workload_config := .Workloads }}
{{ $.Comment }}[crio.runtime.workloads.{{ $workload_type }}]
{{ $.Comment }}activation_annotation = "{{ $workload_config.ActivationAnnotation }}"
{{ $.Comment }}annotation_prefix = "{{ $workload_config.AnnotationPrefix }}"
{{ if $workload_config.Resources }}{{ $.Comment }}[crio.runtime.workloads.{{ $workload_type }}.resources]
{{ $.Comment }}cpuset = "{{ $workload_config.Resources.CPUSet }}"
{{ $.Comment }}cpuquota = {{ $workload_config.Resources.CPUQuota }}
{{ $.Comment }}cpuperiod = {{ $workload_config.Resources.CPUPeriod }}
{{ $.Comment }}cpushares = {{ $workload_config.Resources.CPUShares }}
{{ $.Comment }}cpulimit = {{ $workload_config.Resources.CPULimit }}{{ end }}
{{ end }}

Ideally we want a new mechanism to avoid missing options in the return value. (I thought we had it)

CRI-O and Kubernetes version

bin/crio version
INFO[2025-09-16T10:11:55.113011985Z] Updating config from single file: /etc/crio/crio.conf
INFO[2025-09-16T10:11:55.113044187Z] Updating config from drop-in file: /etc/crio/crio.conf
INFO[2025-09-16T10:11:55.113252395Z] Updating config from path: /etc/crio/crio.conf.d
Version:        1.35.0
GitCommit:      81e69a58c7e6ec8699b3bdd8696b1d0e25e32bfb
GitCommitDate:  2025-09-11T18:05:04Z
GitTreeState:   clean
BuildDate:      2025-09-16T10:09:19Z
GoVersion:      go1.25.1
Compiler:       gc
Platform:       linux/amd64
Linkmode:       dynamic
BuildTags:
  containers_image_ostree_stub
  apparmor
  seccomp
  selinux
LDFlags:          unknown
SeccompEnabled:   true
AppArmorEnabled:  false
$ kubectl version --output=json
# paste output here

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

Additional environment details (AWS, VirtualBox, physical, etc.)

Metadata

Metadata

Assignees

Labels

good first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.kind/bugCategorizes issue or PR as related to a bug.lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载