Skip to content

Add writable-cgroups experimental plugin #269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
chrishenzie wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add writable-cgroups experimental plugin #269

chrishenzie wants to merge 1 commit into from

Conversation

@chrishenzie
Copy link
Contributor

@chrishenzie chrishenzie commented Feb 5, 2026

Adds a new writable-cgroups plugin, designed to enable safe delegation of cgroup management to containers. This plugin allows containers to mount /sys/fs/cgroup as read-write, enabling workloads (like AI/ML frameworks) to manage their own sub-cgroups.

This plugin serves as a reference implementation and test-bed for validating the nsdelegate security model proposed in KEP-5474 as an alternative to introducing new Kubernetes API fields.

@Divya063 @samuelkarp

@chrishenzie
Copy link
Contributor Author

chrishenzie commented Feb 5, 2026

I'm still unsure on the name, because all the other NRI plugins have "verb-focused" names. Maybe cgroup-adjuster is more appropriate?

@chrishenzie
Add writable-cgroups experimental plugin
78fbc4d 
Adds a new `writable-cgroups` plugin, designed to enable safe delegation
of cgroup management to containers. This plugin allows containers to
mount `/sys/fs/cgroup` as read-write, enabling workloads (like AI/ML
frameworks) to manage their own sub-cgroups.

This plugin serves as a reference implementation and test-bed for
validating the `nsdelegate` security model proposed in KEP-5474 as an
alternative to introducing new Kubernetes API fields.

Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
@chrishenzie chrishenzie force-pushed the writable-cgroups-experiment branch from c8215f8 to 78fbc4d Compare February 5, 2026 03:01
klihub
klihub reviewed Feb 5, 2026
View reviewed changes
plugins/writable-cgroups/writable-cgroups.go

const (
// WritableCgroupsAnnotation is the annotation key that enables writable cgroups.
WritableCgroupsAnnotation = "cgroups.noderesource.dev/writable"
Copy link
Member

@klihub klihub Feb 5, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Anything against using writable-cgroups.noderesource.dev as the annotation key ?

@klihub
Copy link
Member

klihub commented Feb 5, 2026

I'm still unsure on the name, because all the other NRI plugins have "verb-focused" names. Maybe cgroup-adjuster is more appropriate?

cgroup-adjuster sounds very generic to me compared to what the plugin does, implying more adjustments to containers' cgroups rather than their cgroup mounts. Maybe cgroup-mount-adjuster ?

@klihub
Copy link
Member

klihub commented Feb 5, 2026

@chrishenzie I only skimmed through it quickly yet, but it LGTM. Should we also add a contrib/kustomize/writable-cgroups (or whatever we end up calling this) like we have for the other plugins ?

@klihub klihub requested a review from mikebrow February 5, 2026 08:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@klihub klihub klihub left review comments

@mikebrow mikebrow Awaiting requested review from mikebrow

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chrishenzie @klihub