feat: pod annotation-based configuration overrides#26
Merged
miguelgila merged 8 commits intomainfrom Mar 1, 2026
Merged
Conversation
Allow users to influence Reaper behavior per-pod via Kubernetes annotations (e.g. `reaper.runtime/dns-mode: kubernetes`). Annotations are extracted by the shim, stored in container state, and applied at start time. Security model: compile-time allowlist restricts which keys users can set; admin-only parameters (overlay paths, filter settings, isolation mode) cannot be overridden. Administrators can disable all annotation processing with REAPER_ANNOTATIONS_ENABLED=false. Includes shared annotations module, 202 passing tests (unit + integration), and user-facing documentation in README.md. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…tion
Allow pods to specify a named overlay group within their namespace,
so different groups of pods use completely isolated overlays (separate
upper/work dirs, mount namespaces, and locks). This enables filesystem
isolation between workload groups sharing the same K8s namespace.
Path structure with overlay-name (e.g., ns=production, name=pippo):
/run/reaper/overlay/production/pippo/{upper,work}
/run/reaper/ns/production--pippo
/run/reaper/overlay-production--pippo.lock
Without overlay-name, paths are unchanged (backward compatible).
In node isolation mode, overlay-name is logged as warning and ignored.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds test_overlay_name_isolation to the integration test suite: - Writer pod with overlay-name=group-alpha writes a marker file - Reader pod with overlay-name=group-beta (same namespace) verifies it CANNOT see the file (isolation between overlay groups) - Same-group reader with overlay-name=group-alpha verifies it CAN see the file (sharing within an overlay group) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Containerd 1.7+ does not automatically propagate pod-level Kubernetes annotations to the container OCI config.json. The runtime configuration must explicitly declare which annotation patterns to pass through via the `pod_annotations` field. Without this, the shim never sees `reaper.runtime/*` annotations and overlay-name (and dns-mode via annotations) silently does nothing. Added `pod_annotations = ["reaper.runtime/*"]` to all containerd configuration locations: Kind configs, Ansible installer, configure-containerd.sh, and documentation. Also added diagnostics to the overlay-name e2e test for easier debugging. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…lid, unknown) Add four new Kind e2e tests to close annotation coverage gaps: - dns-mode annotation override: verifies host vs kubernetes resolv.conf - combined annotations: dns-mode + overlay-name on same pod - invalid annotation graceful fallback: bogus values don't crash pods - unknown annotation keys silently ignored: security allowlist works Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Each binary includes the full annotations.rs but only uses a subset of its public items, triggering clippy dead_code warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sync the fake runtime script to disk and yield before executing, preventing "Text file busy" errors in CI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Codecov outages (502s) should not block PRs. Coverage upload is best-effort; actual test results are what matters. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #26 +/- ##
==========================================
- Coverage 88.09% 87.18% -0.91%
==========================================
Files 5 6 +1
Lines 252 320 +68
==========================================
+ Hits 222 279 +57
- Misses 30 41 +11 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
reaper.runtime/*prefix (dns-mode, overlay-name)reaper.runtime/overlay-name) for isolated overlay filesystems within a K8s namespaceannotations.rsmodule with parsing, validation, and security allowlistDetails
Annotation system:
reaper.runtime/dns-mode: Override DNS resolution mode per pod (host,kubernetes,k8s)reaper.runtime/overlay-name: Create named overlay groups with isolated upper/work dirs and mount namespacesREAPER_ANNOTATIONS_ENABLED=falsedisables all annotation processingNamed overlay groups:
production/pippo/)production--pippo)Test coverage:
src/annotations.rstests/integration_annotations.rsTest plan
cargo test— all unit and integration tests passcargo clippy -- -D warnings— no warnings🤖 Generated with Claude Code