Skip to content

Validate DRA env against prepared claims#194

Open
AutuSnow wants to merge 3 commits into
kubernetes-sigs:mainfrom
AutuSnow:fix-nri-shared-container-scope
Open

Validate DRA env against prepared claims#194
AutuSnow wants to merge 3 commits into
kubernetes-sigs:mainfrom
AutuSnow:fix-nri-shared-container-scope

Conversation

@AutuSnow

@AutuSnow AutuSnow commented Jun 23, 2026

Copy link
Copy Markdown
Contributor
  • Validate DRA_CPUSET_* env entries against claims prepared by this driver.
  • Reject containers whose DRA env references an unprepared claim or mismatched cpuset.
  • Keep ordinary non-DRA containers in the shared CPU pool.
    
    NRI CreateContainer runs for every container, not only containers prepared through DRA. A container-provided DRA_CPUSET_* env should not be trusted unless it matches driver-owned prepare state.
    
    This addresses the Fail closed on malformed DRA_CPUSET env #190 follow-up while preserving the intended shared-pool behavior for non-DRA containers.
    
    Follow-up:
    Fail closed on malformed DRA_CPUSET env #190 (comment)

@kubernetes-prow kubernetes-prow Bot requested review from ffromani and pohly June 23, 2026 09:53
@kubernetes-prow kubernetes-prow Bot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jun 23, 2026
@ffromani ffromani mentioned this pull request Jun 24, 2026
Open
@AutuSnow AutuSnow mentioned this pull request Jun 24, 2026
Open
pravk03
pravk03 reviewed Jun 25, 2026
View reviewed changes
Comment thread pkg/driver/nri_hooks.go Outdated
pravk03
pravk03 reviewed Jun 25, 2026
View reviewed changes

@pravk03 pravk03 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this important change.

/lgtm

Comment thread pkg/driver/nri_hooks.go Outdated
@kubernetes-prow kubernetes-prow Bot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 25, 2026
@AutuSnow

AutuSnow commented Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

/hold

@kubernetes-prow kubernetes-prow Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 25, 2026
@kubernetes-prow kubernetes-prow Bot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 25, 2026
@kubernetes-prow

kubernetes-prow Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: AutuSnow
Once this PR has been reviewed and has the lgtm label, please ask for approval from pravk03. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@AutuSnow

AutuSnow commented Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

/unhold

@kubernetes-prow kubernetes-prow Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 25, 2026
@pravk03

pravk03 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Thanks for this!!
/lgtm

@kubernetes-prow kubernetes-prow Bot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pravk03 pravk03 pravk03 left review comments
@ffromani ffromani Awaiting requested review from ffromani
@pohly pohly Awaiting requested review from pohly

Assignees

@pravk03 pravk03

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AutuSnow @pravk03