Skip to content

Add writable-cgroups experimental plugin#269

Open
chrishenzie wants to merge 1 commit intocontainerd:mainfrom
chrishenzie:writable-cgroups-experiment
Open

Add writable-cgroups experimental plugin#269
chrishenzie wants to merge 1 commit intocontainerd:mainfrom
chrishenzie:writable-cgroups-experiment

Conversation

@chrishenzie
Copy link
Contributor

@chrishenzie chrishenzie commented Feb 5, 2026

Adds a new writable-cgroups plugin, designed to enable safe delegation of cgroup management to containers. This plugin allows containers to mount /sys/fs/cgroup as read-write, enabling workloads (like AI/ML frameworks) to manage their own sub-cgroups.

This plugin serves as a reference implementation and test-bed for validating the nsdelegate security model proposed in KEP-5474 as an alternative to introducing new Kubernetes API fields.

@Divya063 @samuelkarp

@chrishenzie
Copy link
Contributor Author

chrishenzie commented Feb 5, 2026

I'm still unsure on the name, because all the other NRI plugins have "verb-focused" names. Maybe cgroup-adjuster is more appropriate?

@chrishenzie chrishenzie force-pushed the writable-cgroups-experiment branch from c8215f8 to 78fbc4d Compare February 5, 2026 03:01
klihub
klihub reviewed Feb 5, 2026
View reviewed changes
plugins/writable-cgroups/writable-cgroups.go Outdated

const (
// WritableCgroupsAnnotation is the annotation key that enables writable cgroups.
WritableCgroupsAnnotation = "cgroups.noderesource.dev/writable"
Copy link
Member

@klihub klihub Feb 5, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Anything against using writable-cgroups.noderesource.dev as the annotation key ?

Copy link
Contributor Author

@chrishenzie chrishenzie Mar 18, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works for me. The only limitation is there is a 63 character limit for Pod annotations, so if a container name is long, it might push us over the edge when appended with the .container.<container_name> suffix.

>>> len("writable-cgroups.noderesource.dev.container.")
44

So long as a container name is less than 19 characters it should be fine. We could potentially remove .container and save an extra 10 characters. I'm okay with keeping as-is though.

@klihub
Copy link
Member

klihub commented Feb 5, 2026

I'm still unsure on the name, because all the other NRI plugins have "verb-focused" names. Maybe cgroup-adjuster is more appropriate?

cgroup-adjuster sounds very generic to me compared to what the plugin does, implying more adjustments to containers' cgroups rather than their cgroup mounts. Maybe cgroup-mount-adjuster ?

@klihub
Copy link
Member

klihub commented Feb 5, 2026

@chrishenzie I only skimmed through it quickly yet, but it LGTM. Should we also add a contrib/kustomize/writable-cgroups (or whatever we end up calling this) like we have for the other plugins ?

@klihub klihub requested a review from mikebrow February 5, 2026 08:58
@chrishenzie chrishenzie mentioned this pull request Feb 22, 2026
Open
4 tasks
@samuelkarp
Copy link
Member

samuelkarp commented Feb 25, 2026

I think writable-cgroups is a fine name. We don't have to have everything named -adjuster.

samuelkarp
samuelkarp approved these changes Feb 25, 2026
View reviewed changes
@chrishenzie chrishenzie force-pushed the writable-cgroups-experiment branch 2 times, most recently from 42bca1a to a32da70 Compare March 18, 2026 20:35
@chrishenzie
Add writable-cgroups experimental plugin
6c16026 
Adds a new `writable-cgroups` plugin, designed to enable safe delegation
of cgroup management to containers. This plugin allows containers to
mount `/sys/fs/cgroup` as read-write, enabling workloads (like AI/ML
frameworks) to manage their own sub-cgroups.

This plugin serves as a reference implementation and test-bed for
validating the `nsdelegate` security model proposed in KEP-5474 as an
alternative to introducing new Kubernetes API fields.

Signed-off-by: Chris Henzie <chrishenzie@gmail.com>
@chrishenzie chrishenzie force-pushed the writable-cgroups-experiment branch from a32da70 to 6c16026 Compare March 19, 2026 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@klihub klihub klihub left review comments

@samuelkarp samuelkarp samuelkarp approved these changes

@mikebrow mikebrow Awaiting requested review from mikebrow

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chrishenzie @klihub @samuelkarp