Skip to content

WIP: MCO NRI plugin experimentation #5462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
ngopalak-redhat wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

WIP: MCO NRI plugin experimentation #5462

ngopalak-redhat wants to merge 2 commits into from

Conversation

@ngopalak-redhat
Copy link
Contributor

@ngopalak-redhat ngopalak-redhat commented Dec 3, 2025

- What I did

- How to verify it

- Description for the changelog

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 3, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 3, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 3, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ngopalak-redhat
Once this PR has been reviewed and has the lgtm label, please assign yuqi-zhang for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ngopalak-redhat
Copy link
Contributor Author

ngopalak-redhat commented Dec 3, 2025

/test unit
/test verify
/test images
/test verify-deps

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 3, 2025

@ngopalak-redhat: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify 57b5c13 link true /test verify

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@ngopalak-redhat
Copy link
Contributor Author

ngopalak-redhat commented Dec 3, 2025

@haircommander, I’ve prototyped a POC where the MCO daemon functions as an NRI plugin.
The plugin enforces a strict "deny-by-default" policy for mutations. It only permits mutations in namespaces specified in an allow-list (/etc/crio/nri_plugins/AllowMutations/config.yaml).

  • Registers with index 99 to ensure it runs as the final validator.
  • Leverages existing MCO configuration capabilities, meaning no additional operators or complex setup are required for the user.
  • Basic testing is complete with the changes in the PR and the behavior is stable.

I see two paths for managing the allow-list:

  1. API/CRD Approach: MCO parses a specific CRD and applies the config. We can then make sure that users don't play around with system namespaces
  2. Direct Override: Users simply override the config file via MCO to specify allowed namespaces.

How do you see proceeding the direction of making Machine Config Daemon (in MCO) a validating NRI plugin for OpenShift?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ngopalak-redhat