Samuel Karp
Samuel Karp
/ok-to-test
/ok-to-test
> Utilize the parsed reference (including domain) from reference.ParseAnyReference() when tagging images. It looks like this only affects `ctr`, so that's one place that images might be tagged but won't...
@t33m I think https://github.com/containerd/nri/pull/171 will satisfy your use case. This introduces a new builtin validator plugin that can: * Reject new containers that have an annotation requiring a specific plugin...
I don't yet see a description of how generic artifacts should be mounted as part of [KEP-4639](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/4639-oci-volume-source). I think that should be the first step before we try to implement...
@haircommander I think we probably want both: allowlist/denylist for modifiable attributes (so an admin can categorically say "NRI plugins cannot inject hooks" for example) and allowlist/denylist for pods that can...
> Right now with mount or devices adjustments you can escape to the host Yes, also with hook adjustments.
@klihub My apologies for the delay here. > Restrictions are communicated to an NRI plugin during registration. The plugin can then report and choose not to start up if the...
> But, now that I see you spell that out, I think we should fail to create/start the container as well (since now we also know for a fact that...
> for validation plugin it does not matter the order, right? the result is the AND of all plugins, or all are OK with the change or a single DENY...