diff --git a/Gopkg.lock b/Gopkg.lock
index 296642be47..42e09b2189 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -386,7 +386,7 @@
 
 [[projects]]
   branch = "release-1.12"
-  digest = "1:586055d6fbea67a7cac1f36523ebe9e085c2fead657bb7162b6dd886d0e09fad"
+  digest = "1:dcd7ddc83a6a34ba9cb0c98d8a849d5cc351e02e17c88056e6f2844b889a8ea5"
   name = "github.com/kubernetes-sigs/cri-o"
   packages = [
     "oci",
@@ -395,7 +395,7 @@
     "utils",
   ]
   pruneopts = "NUT"
-  revision = "84179cb1b3ac633a7434cec72966aba698216229"
+  revision = "0809b248a4691e5b82c192ad3c6c84d4705c1d89"
 
 [[projects]]
   digest = "1:2f42fa12d6911c7b7659738758631bec870b7e9b4c6be5444f963cdcfccc191f"
diff --git a/pkg/controller/template/render.go b/pkg/controller/template/render.go
index 46f2a8c47a..c0bc24178b 100644
--- a/pkg/controller/template/render.go
+++ b/pkg/controller/template/render.go
@@ -17,7 +17,6 @@ import (
 	ignv2_2types "github.com/coreos/ignition/config/v2_2/types"
 	"github.com/ghodss/yaml"
 	"github.com/golang/glog"
-	"github.com/openshift/machine-config-operator/lib/resourcemerge"
 	mcfgv1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1"
 	"github.com/openshift/machine-config-operator/pkg/controller/common"
 	"github.com/openshift/machine-config-operator/pkg/version"
@@ -75,11 +74,7 @@ func generateTemplateMachineConfigs(config *RenderConfig, templateDir string) ([
 		if err != nil {
 			return nil, fmt.Errorf("failed to create MachineConfig for role %s: %v", role, err)
 		}
-		if len(roleConfigs) > 0 {
-			injectDockerConfigKubeletAuthSymlink(roleConfigs[len(roleConfigs)-1])
-		}
 		cfgs = append(cfgs, roleConfigs...)
-
 	}
 
 	// tag all the machineconfigs with version of the controller.
@@ -93,24 +88,6 @@ func generateTemplateMachineConfigs(config *RenderConfig, templateDir string) ([
 	return cfgs, nil
 }
 
-// injectDockerConfigKubeletAuthSymlink is a hack to symlink /var/lib/kubelet/auth.json -> ~/.docker/config.json
-// See https://bugzilla.redhat.com/show_bug.cgi?id=1686556
-// https://github.com/containers/skopeo/pull/612
-func injectDockerConfigKubeletAuthSymlink(cfg *mcfgv1.MachineConfig) {
-	authLink := ignv2_2types.Link{
-		Node: ignv2_2types.Node{
-			Filesystem: "root",
-			Path:       "/root/.docker/config.json",
-			Overwrite:  resourcemerge.BoolPtr(false),
-		},
-		LinkEmbedded1: ignv2_2types.LinkEmbedded1{
-			Hard:   false,
-			Target: "/var/lib/kubelet/config.json",
-		},
-	}
-	cfg.Spec.Config.Storage.Links = append(cfg.Spec.Config.Storage.Links, authLink)
-}
-
 // GenerateMachineConfigsForRole creates MachineConfigs for the role provided
 func GenerateMachineConfigsForRole(config *RenderConfig, role string, path string) ([]*mcfgv1.MachineConfig, error) {
 	infos, err := ioutil.ReadDir(path)
diff --git a/pkg/controller/template/test_data/templates/master/01-master-container-runtime/aws/files/-etc-crio-crio.conf b/pkg/controller/template/test_data/templates/master/01-master-container-runtime/aws/files/-etc-crio-crio.conf
index 39288bd46f..689a72157a 100644
--- a/pkg/controller/template/test_data/templates/master/01-master-container-runtime/aws/files/-etc-crio-crio.conf
+++ b/pkg/controller/template/test_data/templates/master/01-master-container-runtime/aws/files/-etc-crio-crio.conf
@@ -1,5 +1,5 @@
 contents:
-  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
+  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20If%20not%20empty%2C%20the%20path%20to%20a%20docker%2Fconfig.json-like%20file%20containing%20credentials%0A%23%20necessary%20for%20pulling%20the%20image%20specified%20by%20pause_image%C2%A0above.%0Apause_image_auth_file%20%3D%20%22%2Fvar%2Flib%2Fkubelet%2Fconfig.json%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
   verification: {}
 filesystem: root
 mode: 420
diff --git a/pkg/controller/template/test_data/templates/master/01-master-container-runtime/libvirt/files/-etc-crio-crio.conf b/pkg/controller/template/test_data/templates/master/01-master-container-runtime/libvirt/files/-etc-crio-crio.conf
index 39288bd46f..689a72157a 100644
--- a/pkg/controller/template/test_data/templates/master/01-master-container-runtime/libvirt/files/-etc-crio-crio.conf
+++ b/pkg/controller/template/test_data/templates/master/01-master-container-runtime/libvirt/files/-etc-crio-crio.conf
@@ -1,5 +1,5 @@
 contents:
-  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
+  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20If%20not%20empty%2C%20the%20path%20to%20a%20docker%2Fconfig.json-like%20file%20containing%20credentials%0A%23%20necessary%20for%20pulling%20the%20image%20specified%20by%20pause_image%C2%A0above.%0Apause_image_auth_file%20%3D%20%22%2Fvar%2Flib%2Fkubelet%2Fconfig.json%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
   verification: {}
 filesystem: root
 mode: 420
diff --git a/pkg/controller/template/test_data/templates/master/01-master-container-runtime/none/files/-etc-crio-crio.conf b/pkg/controller/template/test_data/templates/master/01-master-container-runtime/none/files/-etc-crio-crio.conf
index 39288bd46f..689a72157a 100644
--- a/pkg/controller/template/test_data/templates/master/01-master-container-runtime/none/files/-etc-crio-crio.conf
+++ b/pkg/controller/template/test_data/templates/master/01-master-container-runtime/none/files/-etc-crio-crio.conf
@@ -1,5 +1,5 @@
 contents:
-  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
+  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20If%20not%20empty%2C%20the%20path%20to%20a%20docker%2Fconfig.json-like%20file%20containing%20credentials%0A%23%20necessary%20for%20pulling%20the%20image%20specified%20by%20pause_image%C2%A0above.%0Apause_image_auth_file%20%3D%20%22%2Fvar%2Flib%2Fkubelet%2Fconfig.json%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
   verification: {}
 filesystem: root
 mode: 420
diff --git a/pkg/controller/template/test_data/templates/master/01-master-container-runtime/openstack/files/-etc-crio-crio.conf b/pkg/controller/template/test_data/templates/master/01-master-container-runtime/openstack/files/-etc-crio-crio.conf
index 39288bd46f..689a72157a 100644
--- a/pkg/controller/template/test_data/templates/master/01-master-container-runtime/openstack/files/-etc-crio-crio.conf
+++ b/pkg/controller/template/test_data/templates/master/01-master-container-runtime/openstack/files/-etc-crio-crio.conf
@@ -1,5 +1,5 @@
 contents:
-  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
+  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20If%20not%20empty%2C%20the%20path%20to%20a%20docker%2Fconfig.json-like%20file%20containing%20credentials%0A%23%20necessary%20for%20pulling%20the%20image%20specified%20by%20pause_image%C2%A0above.%0Apause_image_auth_file%20%3D%20%22%2Fvar%2Flib%2Fkubelet%2Fconfig.json%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
   verification: {}
 filesystem: root
 mode: 420
diff --git a/pkg/controller/template/test_data/templates/master/01-master-container-runtime/vpshere/files/-etc-crio-crio.conf b/pkg/controller/template/test_data/templates/master/01-master-container-runtime/vpshere/files/-etc-crio-crio.conf
index 39288bd46f..689a72157a 100644
--- a/pkg/controller/template/test_data/templates/master/01-master-container-runtime/vpshere/files/-etc-crio-crio.conf
+++ b/pkg/controller/template/test_data/templates/master/01-master-container-runtime/vpshere/files/-etc-crio-crio.conf
@@ -1,5 +1,5 @@
 contents:
-  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
+  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20If%20not%20empty%2C%20the%20path%20to%20a%20docker%2Fconfig.json-like%20file%20containing%20credentials%0A%23%20necessary%20for%20pulling%20the%20image%20specified%20by%20pause_image%C2%A0above.%0Apause_image_auth_file%20%3D%20%22%2Fvar%2Flib%2Fkubelet%2Fconfig.json%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
   verification: {}
 filesystem: root
 mode: 420
diff --git a/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/aws/files/-etc-crio-crio.conf b/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/aws/files/-etc-crio-crio.conf
index 39288bd46f..689a72157a 100644
--- a/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/aws/files/-etc-crio-crio.conf
+++ b/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/aws/files/-etc-crio-crio.conf
@@ -1,5 +1,5 @@
 contents:
-  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
+  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20If%20not%20empty%2C%20the%20path%20to%20a%20docker%2Fconfig.json-like%20file%20containing%20credentials%0A%23%20necessary%20for%20pulling%20the%20image%20specified%20by%20pause_image%C2%A0above.%0Apause_image_auth_file%20%3D%20%22%2Fvar%2Flib%2Fkubelet%2Fconfig.json%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
   verification: {}
 filesystem: root
 mode: 420
diff --git a/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/libvirt/files/-etc-crio-crio.conf b/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/libvirt/files/-etc-crio-crio.conf
index 39288bd46f..689a72157a 100644
--- a/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/libvirt/files/-etc-crio-crio.conf
+++ b/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/libvirt/files/-etc-crio-crio.conf
@@ -1,5 +1,5 @@
 contents:
-  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
+  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20If%20not%20empty%2C%20the%20path%20to%20a%20docker%2Fconfig.json-like%20file%20containing%20credentials%0A%23%20necessary%20for%20pulling%20the%20image%20specified%20by%20pause_image%C2%A0above.%0Apause_image_auth_file%20%3D%20%22%2Fvar%2Flib%2Fkubelet%2Fconfig.json%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
   verification: {}
 filesystem: root
 mode: 420
diff --git a/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/none/files/-etc-crio-crio.conf b/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/none/files/-etc-crio-crio.conf
index 39288bd46f..689a72157a 100644
--- a/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/none/files/-etc-crio-crio.conf
+++ b/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/none/files/-etc-crio-crio.conf
@@ -1,5 +1,5 @@
 contents:
-  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
+  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20If%20not%20empty%2C%20the%20path%20to%20a%20docker%2Fconfig.json-like%20file%20containing%20credentials%0A%23%20necessary%20for%20pulling%20the%20image%20specified%20by%20pause_image%C2%A0above.%0Apause_image_auth_file%20%3D%20%22%2Fvar%2Flib%2Fkubelet%2Fconfig.json%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
   verification: {}
 filesystem: root
 mode: 420
diff --git a/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/openstack/files/-etc-crio-crio.conf b/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/openstack/files/-etc-crio-crio.conf
index 39288bd46f..689a72157a 100644
--- a/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/openstack/files/-etc-crio-crio.conf
+++ b/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/openstack/files/-etc-crio-crio.conf
@@ -1,5 +1,5 @@
 contents:
-  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
+  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20If%20not%20empty%2C%20the%20path%20to%20a%20docker%2Fconfig.json-like%20file%20containing%20credentials%0A%23%20necessary%20for%20pulling%20the%20image%20specified%20by%20pause_image%C2%A0above.%0Apause_image_auth_file%20%3D%20%22%2Fvar%2Flib%2Fkubelet%2Fconfig.json%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
   verification: {}
 filesystem: root
 mode: 420
diff --git a/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/vpshere/files/-etc-crio-crio.conf b/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/vpshere/files/-etc-crio-crio.conf
index 39288bd46f..689a72157a 100644
--- a/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/vpshere/files/-etc-crio-crio.conf
+++ b/pkg/controller/template/test_data/templates/worker/01-worker-container-runtime/vpshere/files/-etc-crio-crio.conf
@@ -1,5 +1,5 @@
 contents:
-  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
+  source: data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22image%2FinfraImage%3A1%22%0A%0A%23%20If%20not%20empty%2C%20the%20path%20to%20a%20docker%2Fconfig.json-like%20file%20containing%20credentials%0A%23%20necessary%20for%20pulling%20the%20image%20specified%20by%20pause_image%C2%A0above.%0Apause_image_auth_file%20%3D%20%22%2Fvar%2Flib%2Fkubelet%2Fconfig.json%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A
   verification: {}
 filesystem: root
 mode: 420
diff --git a/templates/master/01-master-container-runtime/_base/files/crio.yaml b/templates/master/01-master-container-runtime/_base/files/crio.yaml
index 6e84c243ab..6981525763 100644
--- a/templates/master/01-master-container-runtime/_base/files/crio.yaml
+++ b/templates/master/01-master-container-runtime/_base/files/crio.yaml
@@ -205,6 +205,10 @@ contents:
     # pause_image is the image which we use to instantiate infra containers.
     pause_image = "{{.Images.infraImage}}"
 
+    # If not empty, the path to a docker/config.json-like file containing credentials
+    # necessary for pulling the image specified by pause_image above.
+    pause_image_auth_file = "/var/lib/kubelet/config.json"
+
     # pause_command is the command to run in a pause_image to have a container just
     # sit there.  If the image contains the necessary information, this value need
     # not be specified.
diff --git a/templates/worker/01-worker-container-runtime/_base/files/crio.yaml b/templates/worker/01-worker-container-runtime/_base/files/crio.yaml
index 6e84c243ab..6981525763 100644
--- a/templates/worker/01-worker-container-runtime/_base/files/crio.yaml
+++ b/templates/worker/01-worker-container-runtime/_base/files/crio.yaml
@@ -205,6 +205,10 @@ contents:
     # pause_image is the image which we use to instantiate infra containers.
     pause_image = "{{.Images.infraImage}}"
 
+    # If not empty, the path to a docker/config.json-like file containing credentials
+    # necessary for pulling the image specified by pause_image above.
+    pause_image_auth_file = "/var/lib/kubelet/config.json"
+
     # pause_command is the command to run in a pause_image to have a container just
     # sit there.  If the image contains the necessary information, this value need
     # not be specified.
diff --git a/vendor/github.com/kubernetes-sigs/cri-o/pkg/config/config.go b/vendor/github.com/kubernetes-sigs/cri-o/pkg/config/config.go
index f80415f25f..bcd91457ed 100644
--- a/vendor/github.com/kubernetes-sigs/cri-o/pkg/config/config.go
+++ b/vendor/github.com/kubernetes-sigs/cri-o/pkg/config/config.go
@@ -210,6 +210,9 @@ type ImageConfig struct {
 	// PauseImage is the name of an image which we use to instantiate infra
 	// containers.
 	PauseImage string `toml:"pause_image"`
+	// PauseImageAuthFile, if not empty, is a path to a docker/config.json-like
+	// file containing credentials necessary for pulling PauseImage
+	PauseImageAuthFile string `toml:"pause_image_auth_file"`
 	// PauseCommand is the path of the binary we run in an infra
 	// container that's been instantiated using PauseImage.
 	PauseCommand string `toml:"pause_command"`