From 402994850c4ce9415c7895b302c0ad65a9f69dea Mon Sep 17 00:00:00 2001
From: Evan Hazlett <ejhazlett@gmail.com>
Date: Tue, 14 Mar 2017 09:53:02 -0400
Subject: [PATCH] restrict secret view to node level in controller

Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Upstream-commit: 8392123f303e55902ac42544f0e7e226855592f6
Component: engine
---
 components/engine/daemon/cluster/executor/container/executor.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/components/engine/daemon/cluster/executor/container/executor.go b/components/engine/daemon/cluster/executor/container/executor.go
index 80f614731e..14eb4ddbe4 100644
--- a/components/engine/daemon/cluster/executor/container/executor.go
+++ b/components/engine/daemon/cluster/executor/container/executor.go
@@ -152,7 +152,7 @@ func (e *executor) Controller(t *api.Task) (exec.Controller, error) {
 		return newNetworkAttacherController(e.backend, t, e.secrets)
 	}
 
-	ctlr, err := newController(e.backend, t, e.secrets)
+	ctlr, err := newController(e.backend, t, secrets.Restrict(e.secrets, t))
 	if err != nil {
 		return nil, err
 	}