In today's containerd cri, in the case of privileged container, cri adds all host devices and ignore the device mapping when PrivilegedWithoutHostDevices is false(default value). Otherwise, cri only adds configured device mapping.

But the device mapping should be honored even in privileged mode.

Steps to reproduce the issue:
I didn't find an easy way to produce because ctr --device flag doesn't support device mapping. See #5046

1. Start a k8s cluster
2. Create a PersistentVolume with volumeMode as Block
3. Create a PersistentVolumeClaim with volumeMode as Block. (You should see the PersistentVolumeClaim is bound with PersistentVolume)
4. Create a Pod with volume corresponding to the PersistentVolumeClaim and specify a devicePath

apiVersion: v1
kind: Pod 
spec:
  containers:
    securityContext:
      privileged: true
    volumeDevices:
      devicePath: /my-disk
      name: example-local-claim
  volumes:
    name: example-local-claim
    persistentVolumeClaim:
      claimName: example-local-claim

5. exec into the pod

Describe the results you received:

• /dev/ has all the host devices
• /my-disk doesn't exist

Describe the results you expected:

• /dev/ has all the host devices
• /my-disk exist

Output of containerd --version:

containerd github.com/containerd/containerd v1.5.0-beta.1-2-gddcc431c1.m ddcc431c11b80aacf495dbcf920fe46f7d748345.m

Any other relevant information:

• Tracking issue in k8s: volumeDevices mapping ignored when container is privileged kubernetes/kubernetes#85624
• Merged fix in docker: 35991- make --device works at privileged mode moby/moby#40291