Changes the build targets of plugins to always unconditionally execute
without trying to check dependencies. The previous make targets were
faulty, e.g. changing something in the library didn't rebuild the
plugins. This is a simple and stupid fix that I believe is good enough -
building the plugins is really fast and go compiler caching makes it
super fast for "unnecessary" builds.
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
In the OCI hook configureation args[0] will not be passed to the hook
script as an arg (by convention args[0] is the command).
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
Make those sample plugins which have OnClose defined exit in a similar
fashion, with a log message and exit status 1. This is consistent with
the rest of the sample plugins which also exit with status 1 in this
case (but a different log output).
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
Drop the -name command line flag from most of the sample plugins.
Exceptions are the template plugin and the ulimit-adjuster plugin where
the name is inserted into the log context.
Also, the differ plugin now takes it name the standard way, dropping the
WithPluginName() opt.
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
Add a generic dockerfile for building container images of the sample
plugins. The build command creates statically linked binaries and the
resulting images are minimal, based on scratch base image.
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
Also add minimal readme for the template and wasm plugins.
The default-validator plugin is left out as it cannot be built as an
external plugin (without changes).
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
Fix crash with error "Plugin subscribed for unhandled events..." when
started with -events=all.
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
Implement configurable restrictions for linux seccomp policy
adjustment in the default validator.
Co-authored-by: Mike Brown <brownwm@us.ibm.com>
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Let the stub determine which events the logger plugin subscribes
to. This should fix startup errors about trying to subscribe to
{Post,}UpdatePodSandbox events without handlers. Once the runtimes
start delivering those events we can add handlers for them and
that will get us subscribed to them automatically.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
This reverts commit eb6476a3fd.
The old NRI client and types are still imported by containerd for the
podsandbox sandbox controller and plugins are still invoked as part of
setting up the pause container.
Signed-off-by: Samuel Karp <samuelkarp@google.com>
The nri.io domain is not owned or controlled by CNCF and its use should
be discouraged. This commit adds support for the new noderesource.dev
domain, which is a CNCF-owned domain.
Signed-off-by: Samuel Karp <samuelkarp@google.com>
The nri.io domain is not owned or controlled by CNCF and its use should
be discouraged. This commit adds support for the new noderesource.dev
domain, which is a CNCF-owned domain.
Signed-off-by: Samuel Karp <samuelkarp@google.com>
The nri.io domain is not owned or controlled by CNCF and its use should
be discouraged. This commit adds support for the new noderesource.dev
domain, which is a CNCF-owned domain.
Signed-off-by: Samuel Karp <samuelkarp@google.com>
Implement default (container creation/adjustment) validation
as a builtin plugin. The default validator can be configured
to reject OCI hook injection. Additionally, containers can be
annotated with a set of required plugins. If annotated, these
plugins must be present during container creation or else the
creation of the container is rejected by the validator.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Implement pluggable container adjustment validation. When validator
plugins are present, use them to validate the collected adjustments,
failing container creation if any validation fails.
For adjustment validation plugins receive the pod, the pristing un-
adjusted container, the collected container adjustments, information
about which plugins adjusted what container parameters, and the list
of plugins consulted for the adjustments. The plugin can then choose
to accept or reject the adjustments.
Accepting or rejecting adjustments are transactional. Either all or
none of the adjustments are accepted, together with the container
creation request. IOW, rejecting an adjustment results in a failed
container creation request.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Rework equality checking for unit test results using go-cmp,
aiming for fewer kludges. Define a set of Strip() helpers to
reduce otherwise semantically equivalent adjustments/updates
to a unique canonical form and thus allowing equality checks
using go-cmp/cmp.Equal().
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
This API is called by the container runtime to update pod sandbox
resources when they change. This is for the In-place Pod Resize
KEP-1287.
Signed-off-by: Chris Henzie <chrishenzie@google.com>
Allow NRI plugins to read the allocated IPs to the pod on the PodSandbox
hooks. This is specially useful for networking daemons that depend on the Pod
IPs assigned via CNI by the container runtime (service mesh, network
policies, ... ) to create seamless integrations without having to modify
the existing environment.
Existing network integrations use techniques like:
- CNI chaining (invasive) as the implementation needs to modify the existing
deployment and can cause disruption due to mutations on the
existing configurations.
- Read Pod Status, that is too late in the process, since the pod
lifecycle does not update the pod status until the containers are
running, but there are applications like network policy
implemetnations or service meshes that needs this information before
the pod is completely created.
- Inspect the host namespaces to gather the information, that is very
intrusive and not portable, creating a tighly coupling between.
Add a nri plugin that can be used as reference implementations for this
integration, the nri plugin just log the interesting networking details
of the pod (ips and network namespace) on the different hooks of the pod lifecucle.
Change-Id: Idb9605c719903d0df51c9a1947e0f838870b5c0b
Signed-off-by: Antonio Ojea <aojea@google.com>
Update ttrpc to get sender-side reject of oversized messages.
Although purely a cosmetic change, update sample plugins' NRI
dependecy to our latest tag.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Update ginkgo to v2.19.1. This should get us rid of the coverage
collection errors seen in CI.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Clarify order of preference for the possible annotations.
Co-authored-by: Mike Brown <brownwm@us.ibm.com>
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Add support for injecting annotated CDI devices using the
new native NRI CDI injection API.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Krisztian Litkey
Markus Lehtonen
Sascha Grunert
Samuel Karp
Samuel Karp
Iceber Gu
Jin Dong
Chris Henzie
Antonio Ojea
cormick
Fu Wei