Skip to content

Commit ff91856

Browse files
klihubklihub
committed
docs: update README.md.
Update documentation for plugin authentication and validation. Signed-off-by: Krisztian Litkey <[email protected]>
1 parent c6b3f96 commit ff91856

File tree

1 file changed

+34
-0
lines changed

1 file changed

+34
-0
lines changed

README.md

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -492,6 +492,40 @@ access to these sockets and can act as NRI or Device Plugins. See the
492492
and [best practices](https://kubernetes.io/docs/setup/best-practices/enforcing-pod-security-standards/)
493493
about Kubernetes security.
494494

495+
## Plugin Authentication
496+
497+
NRI can be configured to authenticate plugins during connection setup.
498+
The purpose of authentication is to reliably establish an identity for
499+
a plugin which then allows validation to apply different policies to
500+
plugins with different identity.
501+
502+
This plugin identity is called a role in NRI. A role has a unique name,
503+
has a set of associated plugin keys, and an optional set of opaque tags.
504+
Keys map plugins to roles. Any plugin which identifies and authenticates
505+
itself with a matching key is associated with the role or the key. Role
506+
tags are opaque, carrying no semantic meaning for NRI itself. They can
507+
however carry semantic meaning for custom validators. Once a plugin gets
508+
authenticated, the assigned role and its tags are made available to the
509+
plugin itself and to any validating plugin.
510+
511+
### Default Validation of Authenticated Plugins
512+
513+
The default validator can be configured to apply different restrictions
514+
to different roles, hence to different plugins. This allows setting up
515+
a restricted default configuration then loosen these restrictions for
516+
selected plugins using per role overrides. For instance, one can disable
517+
Linux namespace adjustment globally, then allow it only for a single or
518+
a few plugins.
519+
520+
### Custom Validation of Authenticated Plugins
521+
522+
Plugin role names and role tags are both passed to custom validators, so
523+
custom validators can take authentication into account during validation.
524+
Tags can be used to decompose a role into a set of explicitly assigned
525+
capabilities valid for that role. This allows validators to decide whether
526+
to allow or reject any changes requested by a plugin based on capabilities
527+
instead of attaching such semantics implicitly to a role name.
528+
495529
## API Stability
496530

497531
NRI APIs should not be considered stable yet. We try to avoid unnecessarily

0 commit comments

Comments
 (0)