nri/plugins/hook-injector

OCI Hook Injector Plugin

The OCI runtime configuration supports hooks, which are custom actions related to the lifecycle of a container. This plugin performs OCI hook injection into containers using the Hook Manager package of podman. CRI-O has native hook injection support using the same package. This plugin essentially achieves CRI-O compatible OCI hook injection for other runtimes using NRI.

Deployment

The NRI repository contains minimal kustomize overlays for this plugin at contrib/kustomize/hook-injector.

Deploy the latest release with:

kubectl apply -k https://github.com/containerd/nri/contrib/kustomize/hook-injector

Deploy a specific release with:

RELEASE_TAG=v0.10.0
kubectl apply -k "github.com/containerd/nri/contrib/kustomize/hook-injector?ref=${RELEASE_TAG}"

Deploy the latest development build from tip of the main branch with:

kubectl apply -k https://github.com/containerd/nri/contrib/kustomize/hook-injector/unstable

Testing

You can test this plugin using a Kubernetes cluster/node with a container runtime that has NRI support enabled (Enabling NRI in Containerd). Once you've enabled NRI on your runtime, you can use the sample hook configuration, placing it at /etc/containers/oci/hooks.d, and the sample hook, placing it at /usr/local/sbin/.

Note: OCI hook configuration details and default file paths can be found in the OCI Configuration Package Documentation

Start the plugin directly on the target node by running hook-injector -idx 10 from the folder containing the binary. Alternatively, you can create a symbolic link to the hook-injector binary in the plugin path configured for the runtime, with the idx as the prefix (ex. 10-hook-injector)

Additional details on hook configuration can be found in the OCI hook configuration documentation.

Finally, create a test pod using the sample pod spec and check for the log output of the hook, which will be at /tmp/demo-hook.log