hacking: plugin authentication#7
Open
klihub wants to merge 216 commits into
Open
Conversation
Signed-off-by: Iceber Gu <caiwei95@hotmail.com>
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
plugins/template: fix a typo in a comment.
plugins/device-injector: fix a small typo in README.md.
stop closed plugins that will be removed
Signed-off-by: Yang Yang <yang8518296@163.com>
In some scenarios such as runtime restart or the occurrence of nri request timeout, the ttrpc connections between the plugin and the runtime will be actively closed by the runtime, even the underlying network connection will be closed together. After this, the plugin must need to re-register to the adaptation side, but now the stub object cannot be reused for this; if the running plugin wants to reconnect to the runtime, the only way is to create a new stub for the plugin. This commit has split the lifecycle of the stub and the ttrpc connection to better support the development of the external type of plugins. The plugin developer can build stub once and use it to connect to adaptation side many times, just need re-call Start() function. Signed-off-by: Lei Liu <liulei.pt@bytedance.com>
stub: support restart after stub stopped
support pids cgroup
Signed-off-by: Jitang Lei <leijitang@outlook.com>
types: Fix a typo
Add support for native CDI injection. With this in place, a plugin can now directly request injection of CDI devices by device name. This is much simpler than first performing CDI device resolution and injection, followed by a set of low- level NRI adjustments for devices, mounts, env. vars. and OCI hooks to effectively do the same. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Add support for injecting annotated CDI devices using the new native NRI CDI injection API. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Co-authored-by: Mike Brown <brownwm@us.ibm.com> Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Clarify order of preference for the possible annotations. Co-authored-by: Mike Brown <brownwm@us.ibm.com> Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
api: add support for NRI-native CDI injection
Signed-off-by: Xiaojin Zhang <874478410@qq.com>
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Add support for adjusting OOM score adjustment.
Signed-off-by: Xiaojin Zhang <874478410@qq.com>
Co-authored-by: Mike Brown <brownwm@us.ibm.com> Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Reset source path of api.pb.go to pkg/api/api.proto
Add .codespellrc, fix reported existing spelling errors. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
…lure adaptation: close plugin if initial synchronization fails.
When a container mount is removed without replacing it by another mount to the same destination, NRI needs to pass the deletion to the runtime among the adjustments. Otherwise the mount will not get removed. Co-authored-by: Krisztian Litkey <krisztian.litkey@intel.com> Signed-off-by: jingtao.liang <jingtao.liang@easystack.cn>
Disable: QF1008: could remove embedded field "Generator" from selector Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
…ositives golangci: disable QF1008 from staticcheck linter
ci: enable image signing
klihub
force-pushed
the
hacking/plugin-authentication
branch
from
4304210 to
fa2c739
Compare
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
klihub
force-pushed
the
hacking/plugin-authentication
branch
11 times, most recently
from
9b1d916 to
b1acc61
Compare
…ustomize contrib: add example for enabling per-container RDT monitoring
Neither assume that we have a single proto definition nor hardcode proto file locations for post-processing actions based on such an assumption. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Add a service and protocol for challenge-response authentication. Define an interface for authentication implementations. Implement a default authentication, mostly based on the ideas described in containerd#152, the proposal for plugin authentication. Add examples/keygen.go for generating key pairs for this default implementation. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Add optional authentication-related information to the list of plugin instances for validation. This should allow finer- grained validation including loser or stricter restrictions for authenticated vs. unauthenticated plugins. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Add a new option for acquiring a public/private key pair from an external source for authenticating with the runtime. Using this option implicitly enables plugin authentication prior to registration. Also add a new environment variable to read keys from files. Together with bind-mounted secrets, this should provide enough plumbing to enable transparent authentication of containerized plugins. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Add support for plugin authentication. Authenticating a plugin associates it with a role. A role has a unique name and it can have an optional set of associated tags. These tags are opaque, carrying no semantic meaning for authentication or NRI itself. However, tags can have associated semantics during validation and authorize plugins to perform otherwise restricted actions. This is the primary intended usage for tags: allow validators to associate rights with tags instead of role names. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Implement role based overrides for authenticated plugins. This allows setting a restrictive default configuration and override it with more liberal configuration for some plugins/roles. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
klihub
force-pushed
the
hacking/plugin-authentication
branch
2 times, most recently
from
c7f97fc to
99fec92
Compare
Update documentation for plugin authentication and validation. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
klihub
force-pushed
the
hacking/plugin-authentication
branch
from
99fec92 to
63d8c5d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.