restrict apparmor security opt to docker

2020-07-09 12:58:01 -07:00 · 2020-07-09 12:58:01 -07:00 · d0d3973a13
parent b12dbeb8c0
commit d0d3973a13
1 changed files with 2 additions and 2 deletions
--- a/pkg/drivers/kic/oci/oci.go
+++ b/pkg/drivers/kic/oci/oci.go
@ -126,8 +126,6 @@ func CreateContainerNode(p CreateParams) error {
 		// for now this is what we want. in the future we may revisit this.
 		"--privileged",
 		"--security-opt", "seccomp=unconfined", //  ignore seccomp
-		// ignore apparmore github actions docker: https://github.com/kubernetes/minikube/issues/7624
-		"--security-opt", "apparmor=unconfined",
 		"--tmpfs", "/tmp", // various things depend on working /tmp
 		"--tmpfs", "/run", // systemd wants a writable /run
 		// logs,pods be stroed on  filesystem vs inside container,
@ -150,6 +148,8 @@ func CreateContainerNode(p CreateParams) error {
 	}
 	if p.OCIBinary == Docker {
 		runArgs = append(runArgs, "--volume", fmt.Sprintf("%s:/var", p.Name))
+		// ignore apparmore github actions docker: https://github.com/kubernetes/minikube/issues/7624
+		runArgs = append(runArgs, "--security-opt", "apparmor=unconfined")
 	}

 	runArgs = append(runArgs, fmt.Sprintf("--cpus=%s", p.CPUs))