diff --git a/plugins/network-device-injector/README.md b/plugins/network-device-injector/README.md index ed7f471a..f799426a 100644 --- a/plugins/network-device-injector/README.md +++ b/plugins/network-device-injector/README.md @@ -1,6 +1,23 @@ ## Network Device Injector Plugin This sample plugin can inject existing network devices into containers using pod annotations. +Network devices are network namespaced, this implies that in Kubernetes they are Pod scoped +and no container scoped, all containers are able to access the network device inside the Pod. + +Traditionally in Kubernetes the CNI plugin is the responsable of configuring the default network +interface for Pods, but there are use cases where the Pod may need to use additional network interfaces, +a more detailed explanation of all the possible technologies to add interfaces to Pods was presented during +[SIG Network meeting 14/03/2024](https://www.youtube.com/watch?v=67UzeMEaqnM&list=PL69nYSiGNLP2E8vmnqo5MwPOY25sDWIxb&index=1), +[slides](Slides in https://docs.google.com/presentation/d/1pjDCtpdbCSWaqCbBYWgzTxAewOVbMf6rUS5SbjAJAe8/edit?usp=sharing). + +Kubernetes project is working on [provide a better API](https://docs.google.com/document/d/1VBBj8Fh0ks0_-dacpqx6kD2tlIvj0XfFxtMuSfOJ22w/edit) +introducing network device claims that would naturally provide a built in means to inject. + +[Network Devices may be included in the OCI Runtime Specification](https://github.com/opencontainers/runtime-spec/issues/1239), this will allow +implementations to be more declarative offloading the low level implementation details to the runtime implementation. + +Pods that run in the host network namespace can not inject any network device as those are already running on the same network namespace, +and any modification can impact the existing system networking. ### Network Device Annotations @@ -23,11 +40,11 @@ The parameters are based on the existing linux netdevice representation. https://man7.org/linux/man-pages/man7/netdevice.7.html `name` is mandatory and refers to the name of the network interface in the host, -the rest of the parameters is optional. +the rest of the parameters are optional. `new_name` is the name of the interface inside the Pod. -The plugin only injects interfaces on the Pod, for more advanced networking configuration -like routing, traffic redirection or dynamic address configuration new plugins can be created. +The plugin only injects interfaces on the Pod network namespace for which the containers are attached when created, +for more advanced networking configuration like routing, traffic redirection or dynamic address configuration new plugins can be created. ## Testing diff --git a/plugins/network-device-injector/network-device-injector.go b/plugins/network-device-injector/network-device-injector.go index 1377eb98..359e7d73 100644 --- a/plugins/network-device-injector/network-device-injector.go +++ b/plugins/network-device-injector/network-device-injector.go @@ -302,12 +302,13 @@ type plugin struct { } func (p *plugin) RunPodSandbox(_ context.Context, pod *api.PodSandbox) error { - log.WithField("namespace", pod.GetNamespace()).WithField("name", pod.GetName).Info("Started pod...") + log.WithField("namespace", pod.GetNamespace()).WithField("name", pod.GetName).Debug("Started pod...") if verbose { dump("RunPodSandbox", "pod", pod) } - // inject associated devices of the netdevice to the container + // inject associated netdevices (based on received pod annotations) into the pod + // network namespace that will be attached to the pod's containers netdevices, err := parseNetdevices(pod.Annotations) if err != nil { return err @@ -325,8 +326,10 @@ func (p *plugin) RunPodSandbox(_ context.Context, pod *api.PodSandbox) error { break } } - // TODO check host network namespace + + // Pods running on the host network namespace has this value empty if ns == "" { + log.WithField("namespace", pod.GetNamespace()).WithField("name", pod.GetName).Info("Pod using host namespace, skipping ...") return nil } @@ -341,7 +344,7 @@ func (p *plugin) RunPodSandbox(_ context.Context, pod *api.PodSandbox) error { } func (p *plugin) StopPodSandbox(_ context.Context, pod *api.PodSandbox) error { - log.WithField("namespace", pod.GetNamespace()).WithField("name", pod.GetName).Info("Stopped pod...") + log.WithField("namespace", pod.GetNamespace()).WithField("name", pod.GetName).Debug("Stopped pod...") if verbose { dump("StopPodSandbox", "pod", pod) }