ulimit-adjuster: adopt noderesource.dev domain

The nri.io domain is not owned or controlled by CNCF and its use should be discouraged. This commit adds support for the new noderesource.dev domain, which is a CNCF-owned domain. Signed-off-by: Samuel Karp <samuelkarp@google.com>
2025-05-20 15:33:27 -07:00 · 2025-05-20 15:33:27 -07:00 · dbc916a8a9
parent b0a6411d46
commit dbc916a8a9
3 changed files with 30 additions and 18 deletions
--- a/plugins/ulimit-adjuster/README.md
+++ b/plugins/ulimit-adjuster/README.md
@ -5,9 +5,10 @@ This sample plugin can adjust ulimits for containers using pod annotations.
 ### Annotations

 ulimits are annotated using the key
-`ulimits.nri.containerd.io/container.$CONTAINER_NAME`, which adjusts ulimits
-for `$CONTAINER_NAME`.  The ulimit names are the valid names of Linux resource
-limits, which can be seen on the
+`ulimits.noderesource.dev/container.$CONTAINER_NAME`, which adjusts ulimits
+for `$CONTAINER_NAME`. For compatibility, this plugin also accepts annotations
+named `ulimits.nri.containerd.io/container.$CONTAINER_NAME`. The ulimit names
+are the valid names of Linux resource limits, which can be seen on the
 [`setrlimit(2)` manual page](https://linux.die.net/man/2/setrlimit).

 The annotation syntax for ulimit adjustment is
@ -23,7 +24,7 @@ The annotation syntax for ulimit adjustment is
 ```

 All fields are mandatory (`soft` and `hard` will be interpreted as 0 if
-missing).  The `type` field accepts names in uppercase letters
+missing). The `type` field accepts names in uppercase letters
 ("RLIMIT_NOFILE"), lowercase letters ("rlimit_memlock"), and omitting the
 "RLIMIT_" prefix ("nproc").

@ -32,5 +33,5 @@ missing).  The `type` field accepts names in uppercase letters
 You can test this plugin using a kubernetes cluster/node with a container
 runtime that has NRI support enabled. Start the plugin on the target node
 (`ulimit-adjuster -idx 10`), create a pod with some annotated ulimits, then
-verify that those get adjusted in the container.  See the
+verify that those get adjusted in the container. See the
 [sample pod spec](sample-ulimit-adjust.yaml) for an example.
--- a/plugins/ulimit-adjuster/adjuster.go
+++ b/plugins/ulimit-adjuster/adjuster.go
@ -32,7 +32,8 @@ import (
 )

 const (
-	ulimitKey    = "ulimits.nri.containerd.io"
+	ulimitKey    = "ulimits.noderesource.dev"
+	oldUlimitKey = "ulimits.nri.containerd.io" // Deprecated
 	rlimitPrefix = "RLIMIT_"
 )

@ -138,10 +139,20 @@ type ulimit struct {
 }

 func parseUlimits(ctx context.Context, container string, annotations map[string]string) ([]ulimit, error) {
-	key := ulimitKey + "/container." + container
-	val, ok := annotations[key]
-	if !ok {
-		log.G(ctx).Debugf("no annotations found with key %q", key)
+	keys := []string{
+		ulimitKey + "/container." + container,
+		oldUlimitKey + "/container." + container,
+	}
+	var val string
+	var ok bool
+	for _, key := range keys {
+		val, ok = annotations[key]
+		if ok {
+			break
+		}
+	}
+	if val == "" {
+		log.G(ctx).Debugf("no annotations found with keys %v", keys)
 		return nil, nil
 	}
 	ulimits := make([]ulimit, 0)
--- a/plugins/ulimit-adjuster/adjuster_test.go
+++ b/plugins/ulimit-adjuster/adjuster_test.go
@ -42,7 +42,7 @@ func TestParseAnnotations(t *testing.T) {
 		"one-valid": {
 			container: "foo",
 			annotations: map[string]string{
-				"ulimits.nri.containerd.io/container.foo": `
+				"ulimits.noderesource.dev/container.foo": `
 - type: RLIMIT_NOFILE
  soft: 123
  hard: 456
@ -56,7 +56,7 @@ func TestParseAnnotations(t *testing.T) {
 		"multiple-valid": {
 			container: "foo",
 			annotations: map[string]string{
-				"ulimits.nri.containerd.io/container.foo": `
+				"ulimits.noderesource.dev/container.foo": `
 - type: RLIMIT_NOFILE
  soft: 123
  hard: 456
@ -77,7 +77,7 @@ func TestParseAnnotations(t *testing.T) {
 		"missing-prefix": {
 			container: "foo",
 			annotations: map[string]string{
-				"ulimits.nri.containerd.io/container.foo": `
+				"ulimits.noderesource.dev/container.foo": `
 - type: AS
  soft: 123
  hard: 456
@ -91,7 +91,7 @@ func TestParseAnnotations(t *testing.T) {
 		"lower-case": {
 			container: "foo",
 			annotations: map[string]string{
-				"ulimits.nri.containerd.io/container.foo": `
+				"ulimits.noderesource.dev/container.foo": `
 - type: rlimit_core
  soft: 123
  hard: 456
@ -105,7 +105,7 @@ func TestParseAnnotations(t *testing.T) {
 		"lower-case-missing-prefix": {
 			container: "foo",
 			annotations: map[string]string{
-				"ulimits.nri.containerd.io/container.foo": `
+				"ulimits.noderesource.dev/container.foo": `
 - type: cpu
  soft: 123
  hard: 456
@ -119,7 +119,7 @@ func TestParseAnnotations(t *testing.T) {
 		"invalid-prefix": {
 			container: "foo",
 			annotations: map[string]string{
-				"ulimits.nri.containerd.io/container.foo": `
+				"ulimits.noderesource.dev/container.foo": `
 - type: ULIMIT_NOFILE
  soft: 123
  hard: 456
@ -129,7 +129,7 @@ func TestParseAnnotations(t *testing.T) {
 		"invalid-rlimit": {
 			container: "foo",
 			annotations: map[string]string{
-				"ulimits.nri.containerd.io/container.foo": `
+				"ulimits.noderesource.dev/container.foo": `
 - type: RLIMIT_FOO
  soft: 123
  hard: 456
@ -139,7 +139,7 @@ func TestParseAnnotations(t *testing.T) {
 		"one-invalid": {
 			container: "foo",
 			annotations: map[string]string{
-				"ulimits.nri.containerd.io/container.foo": `
+				"ulimits.noderesource.dev/container.foo": `
 - type: RLIMIT_NICE
  soft: 456
  hard: 789