Skip to content

Commit 0605d29

Browse files
klihubklihub
committed
docs: update README.md.
Update documentation for plugin authentication and validation. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
1 parent 3c7edc2 commit 0605d29

File tree

1 file changed

+34
-0
lines changed

1 file changed

+34
-0
lines changed

README.md

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -496,6 +496,40 @@ access to these sockets and can act as NRI or Device Plugins. See the
496496
and [best practices](https://kubernetes.io/docs/setup/best-practices/enforcing-pod-security-standards/)
497497
about Kubernetes security.
498498

499+
## Plugin Authentication
500+
501+
NRI can be configured to authenticate plugins during connection setup.
502+
The purpose of authentication is to reliably establish an identity for
503+
a plugin which then allows validation to apply different policies to
504+
plugins with different identity.
505+
506+
This plugin identity is called a role in NRI. A role has a unique name,
507+
has a set of associated plugin keys, and an optional set of opaque tags.
508+
Keys map plugins to roles. Any plugin which identifies and authenticates
509+
itself with a matching key is associated with the role or the key. Role
510+
tags are opaque, carrying no semantic meaning for NRI itself. They can
511+
however carry semantic meaning for custom validators. Once a plugin gets
512+
authenticated, the assigned role and its tags are made available to the
513+
plugin itself and to any validating plugin.
514+
515+
### Default Validation of Authenticated Plugins
516+
517+
The default validator can be configured to apply different restrictions
518+
to different roles, hence to different plugins. This allows setting up
519+
a restricted default configuration then loosen these restrictions for
520+
selected plugins using per role overrides. For instance, one can disable
521+
Linux namespace adjustment globally, then allow it only for a single or
522+
a few plugins.
523+
524+
### Custom Validation of Authenticated Plugins
525+
526+
Plugin role names and role tags are both passed to custom validators, so
527+
custom validators can take authentication into account during validation.
528+
Tags can be used to decompose a role into a set of explicitly assigned
529+
capabilities valid for that role. This allows validators to decide whether
530+
to allow or reject any changes requested by a plugin based on capabilities
531+
instead of attaching such semantics implicitly to a role name.
532+
499533
## API Stability
500534

501535
NRI APIs should not be considered stable yet. We try to avoid unnecessarily

0 commit comments

Comments
 (0)