cri: treat disabled CDI an error for injection requests.

If a container has CDI devices requested by the dedicated CRI protocol
field, treat this as an error if CDI support is explicitly disabled by
configuration, instead of silently ignoring the requested devices.

Additionally, if CDI support is disabled log a warning about the future
deprecation of the EnableCDI configuration option.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>

diff --git a/internal/cri/server/container_create_linux.go b/internal/cri/server/container_create_linux.go
index 201327594e3df5eee4da5567729faa9376e0bbc2..1f85e208b8393e99f337a50c129714c4527a2873 100644 (file)
--- a/internal/cri/server/container_create_linux.go
+++ b/internal/cri/server/container_create_linux.go
@@ -102,7 +102,17 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
        }
        if c.config.EnableCDI == nil || *c.config.EnableCDI {
                specOpts = append(specOpts, customopts.WithCDI(config.Annotations, config.CDIDevices))
+       } else {
+               if len(config.CDIDevices) > 0 {
+                       names, sep := "", ""
+                       for _, dev := range config.CDIDevices {
+                               names += sep + dev.Name
+                               sep = ", "
+                       }
+                       return nil, fmt.Errorf("CDI devices (%s) requested but CDI support is explicitly disabled", names)
+               }
        }
+
        return specOpts, nil
 }