Krisztian Litkey
Krisztian Litkey
> Once we have discussed it clearly, we can track it from the nri repo. > > "we'd probably implement the configuration setting as a per-plugin parameter passed to NRI...
> Your understanding is correct, but we can simplify this problem. If all containers need to be adjusted by a certain NRi plug-in; if there is no adjustment or the...
@tych0 @mikebrow We had a discussion related to this with @samuelkarp and @kad and there are a few ideas how to move this forward. I try to summarize my understanding,...
> That works for me, though I don't currently have the bandwidth myself to implement any such security model. No worries, we can try to cook up something for that,...
Ditto here as in https://github.com/containerd/nri/pull/124#issuecomment-2643456012. PTAL.
@tych0 We should rebase this on latest main/HEAD and add configurable lockdown of seccomp adjustment via the default validator. I have taken a look at what that would require and...
@mikebrow I have added fine-grained validation for seccomp policy/profile adjustment as you requested.
@aojea @tao12345666333 There is already an implementation which is just waiting for the necessary OCI Spec bits to get tagged, so we wouldn't need to have a commit-reference in go.mod....
@aojea @tao12345666333 Actually we already have a draft PR open for this: #157
Here is a [proposed fix](https://github.com/klihub/nri/tree/fixes/blockable-plugin-registration). It requires additional co-operation from the NRI integration code on the runtime side. The runtime should request blocking of plugin registration during event processing.