Comment 15 for bug 1878234

Yeah, I do understand your per-annotation whitelist approach. The problem is that users would have to predefine a list of acceptable values for every config option that is considered dangerous. Would it be too much for a user to configure? Other than the executables (shim,proxy,qemu,virtiofsd), we have other options that is equally important (like kernel path, image path, initrd path, default vCPU number, default memory size, guest kernel parameters etc.). We just might have too many options for users to whitelist.

And to ease users pain of configuration, in my proposal, the `white-list` option actually means that we only allow a predefined (by us!) set of options that can accept annotation configuration.