mirror of
https://github.com/containerd/containerd.git
synced 2026-06-24 08:48:48 +00:00
0ec1af4cae
Image config labels are copied onto the container by both the CRI plugin (BuildLabels) and the client's WithImageConfigLabels option used by `ctr run`. Labels in the containerd.io/* namespace are interpreted by containerd itself and labels in the io.cri-containerd* namespace are interpreted by the CRI plugin. An image config is not a trusted source for labels in either namespace. Skip labels in both reserved namespaces when copying labels from an image config to a container, and warn about each label skipped: an image that tries to set them may be attempting to alter containerd behavior. Oversized image labels are already skipped this way by the CRI plugin. Labels set explicitly by clients, for example via `ctr run --label` or in the CRI request, are unaffected. Verified with the CRI plugin and with `ctr run` against an image whose config carries labels like these: the labels are no longer present on the created container and a warning is logged for each. Assisted-by: Claude Code Signed-off-by: Ben Cressey <ben@cressey.org> Signed-off-by: Samuel Karp <samuelkarp@google.com>