cdi-device-injector: use annotated allow pattern.

klihub · Jul 16, 2024 · 748e7f1 · 748e7f1
1 parent 179d52b
commit 748e7f1
Showing 1 changed file with 61 additions and 4 deletions.
diff --git a/cmd/plugins/cdi-device-injector/cdi-device-injector.go b/cmd/plugins/cdi-device-injector/cdi-device-injector.go
@@ -19,6 +19,7 @@ import (
 	"errors"
 	"flag"
 	"fmt"
+	"os"
 	"path/filepath"
 	"strings"
 
@@ -29,10 +30,15 @@ import (
 
 	"github.com/containerd/nri/pkg/api"
 	"github.com/containerd/nri/pkg/stub"
+
+	"github.com/containers/nri-plugins/pkg/kubernetes/client"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 const (
-	cdiDeviceKey = "cdi.nri.io"
+	cdiDeviceKey    = "cdi.nri.io"
+	allowPatternKey = cdiDeviceKey + "/" + "allow"
+	nsEnvVar        = "POD_NAMESPACE"
 )
 
 var (
@@ -43,8 +49,11 @@ var (
 // our injector plugin
 type plugin struct {
 	stub                    stub.Stub
+	defaultCDIDevicePattern string
 	allowedCDIDevicePattern string
 	cdiCache                *cdiCache
+	namespace               string
+	client                  *client.Client
 }
 
 // CreateContainer handles container creation requests.
@@ -92,6 +101,35 @@ func (p *plugin) CreateContainer(ctx context.Context, pod *api.PodSandbox, conta
 	return adjust, nil, nil
 }
 
+func (p *plugin) setupDevicePattern() {
+	p.allowedCDIDevicePattern = p.defaultCDIDevicePattern
+	p.namespace = os.Getenv(nsEnvVar)
+	if p.namespace == "" {
+		log.Warnf("%q not set in environment", nsEnvVar)
+		return
+	}
+	log.Infof("using namespace %q", p.namespace)
+
+	var (
+		ctx  = context.Background()
+		opts = metav1.GetOptions{}
+	)
+
+	ns, err := p.client.CoreV1().Namespaces().Get(ctx, p.namespace, opts)
+	if err != nil {
+		log.Warnf("failed to get namespace %s: %v", p.namespace, err)
+		return
+	}
+
+	pattern, ok := ns.Annotations[allowPatternKey]
+	if !ok {
+		log.Warnf("namespace %q not annotated with key %q", p.namespace, allowPatternKey)
+		return
+	}
+
+	p.allowedCDIDevicePattern = pattern
+}
+
 func parseCdiDevices(annotations map[string]string, ctr string) ([]string, error) {
 	var errs error
 	var cdiDevices []string
@@ -160,8 +198,10 @@ func main() {
 	var (
 		pluginName              string
 		pluginIdx               string
-		allowedCDIDevicePattern string
+		defaultCDIDevicePattern string
+		kubeConfig              string
 		opts                    []stub.Option
+		clientOpts              []client.Option
 		err                     error
 	)
 
@@ -172,7 +212,8 @@ func main() {
 
 	flag.StringVar(&pluginName, "name", "", "plugin name to register to NRI")
 	flag.StringVar(&pluginIdx, "idx", "", "plugin index to register to NRI")
-	flag.StringVar(&allowedCDIDevicePattern, "allowed-cdi-device-pattern", "*", "glob pattern for allowed CDI device names")
+	flag.StringVar(&defaultCDIDevicePattern, "default-cdi-device-pattern", "*", "default glob pattern for allowed CDI device names if namespace is not annotated with "+allowPatternKey)
+	flag.StringVar(&kubeConfig, "kubeconfig", "", "kubeconfig file to use")
 	flag.BoolVar(&verbose, "verbose", false, "enable (more) verbose logging")
 	flag.Parse()
 
@@ -183,13 +224,29 @@ func main() {
 		opts = append(opts, stub.WithPluginIdx(pluginIdx))
 	}
 
+	if kubeConfig != "" {
+		clientOpts = append(clientOpts, client.WithKubeConfig(kubeConfig))
+	} else {
+		clientOpts = append(clientOpts, client.WithInClusterConfig())
+	}
+
+	cli, err := client.New(clientOpts...)
+	if err != nil {
+		log.Fatalf("failed to create kubernetes client: %v", err)
+	}
+
 	p := &plugin{
-		allowedCDIDevicePattern: allowedCDIDevicePattern,
+		client:                  cli,
+		defaultCDIDevicePattern: defaultCDIDevicePattern,
 		cdiCache: &cdiCache{
 			// TODO: We should allow this to be configured
 			Cache: cdi.GetDefaultCache(),
 		},
 	}
+
+	p.setupDevicePattern()
+	log.Infof("using allowed CDI device pattern %q", p.allowedCDIDevicePattern)
+
 	if p.stub, err = stub.New(p, opts...); err != nil {
 		log.Fatalf("failed to create plugin stub: %v", err)
 	}