k8snetworkplumbingwg
diff --git a/‎README.md‎
Lines changed: 86 additions & 36 deletions b/‎README.md‎
Lines changed: 86 additions & 36 deletions
diff --git a/‎cmd/dra-driver-sriov/main.go‎
Lines changed: 7 additions & 7 deletions b/‎cmd/dra-driver-sriov/main.go‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎demo/extended-resource/README.md‎
Lines changed: 5 additions & 5 deletions b/‎demo/extended-resource/README.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎demo/extended-resource/deviceclass.yaml‎
Lines changed: 35 additions & 6 deletions b/‎demo/extended-resource/deviceclass.yaml‎
Lines changed: 35 additions & 6 deletions
@@ -15,11 +15,13 @@ The driver features an advanced resource filtering system that enables administr
 ## Features
 
 - **Dynamic Resource Allocation**: Leverages Kubernetes DRA framework for SR-IOV VF management
-- **Advanced Resource Filtering**: Fine-grained filtering of Virtual Functions based on hardware attributes
-- **Custom Resource Definitions**: SriovResourceFilter CRD for configuring device filtering policies
-- **Controller-based Management**: Kubernetes controller pattern for resource filter lifecycle management
+- **Opt-In Device Advertisement**: Devices are only advertised when explicitly defined in a policy
+- **Custom Resource Definitions**:
+  - SriovResourcePolicy CRD for configuring device advertisement policies
+  - DeviceAttributes CRD defines a set of arbitrary attributes that can be applied to devices selected by a SriovResourcePolicy. Policies reference DeviceAttributes objects via label selectors.
+- **Controller-based Management**: Kubernetes controller pattern for resource policy lifecycle management
 - **Multiple Resource Types**: Support for exposing different VF pools as distinct resource types
-- **Node-targeted Filtering**: Per-node resource filtering with node selector support
+- **Node-targeted Policies**: Per-node resource policies with node selector support
 - **CDI Integration**: Uses Container Device Interface for device injection into containers
 - **NRI Integration**: Node Resource Interface support for advanced container runtime interaction
 - **Kubernetes Native**: Integrates seamlessly with standard Kubernetes resource request/limit model
@@ -79,7 +81,7 @@ The Helm chart supports various configuration options through `values.yaml`:
 - **Image Configuration**: Customize image repository, tag, and pull policy
 - **Resource Limits**: Set resource requests and limits for driver components  
 - **Node Selection**: Configure node selectors and tolerations
-- **Namespace Configuration**: Configure the namespace where SriovResourceFilter resources are watched
+- **Namespace Configuration**: Configure the namespace where SriovResourcePolicy resources are watched
 - **Default Interface Prefix**: Set the default interface prefix for virtual functions
 - **CDI Root**: Configure the directory for CDI file generation
 - **Logging**: Adjust log verbosity and format
@@ -137,33 +139,72 @@ spec:
 
 ## Resource Filtering System
 
-The DRA driver includes an advanced resource filtering system that allows administrators to define fine-grained policies for how SR-IOV Virtual Functions are exposed and allocated. This system uses Custom Resource Definitions (CRDs) and a Kubernetes controller to manage device filtering based on hardware characteristics.
+The DRA driver uses an opt-in model where administrators explicitly define which SR-IOV Virtual Functions should be advertised as Kubernetes resources. This system uses Custom Resource Definitions (CRDs) and a Kubernetes controller to manage device advertisement policies based on hardware characteristics.
 
-### SriovResourceFilter CRD
+**Important**: Without a matching `SriovResourcePolicy`, no devices will be advertised.
 
-The `SriovResourceFilter` custom resource allows you to define filtering policies for SR-IOV devices:
+### SriovResourcePolicy CRD
+
+The `SriovResourcePolicy` custom resource defines which SR-IOV devices should be advertised as allocatable resources. Attributes are decoupled into a separate `DeviceAttributes` CRD and linked via label selectors:
 
 ```yaml
+# 1. Define attributes to apply to matched devices
+apiVersion: sriovnetwork.k8snetworkplumbingwg.io/v1alpha1
+kind: DeviceAttributes
+metadata:
+  name: eth0-attrs
+  namespace: dra-sriov-driver
+  labels:
+    pool: eth0-resource
+spec:
+  attributes:
+    sriovnetwork.k8snetworkplumbingwg.io/resourceName:
+      string: "eth0_resource"
+---
+apiVersion: sriovnetwork.k8snetworkplumbingwg.io/v1alpha1
+kind: DeviceAttributes
+metadata:
+  name: eth1-attrs
+  namespace: dra-sriov-driver
+  labels:
+    pool: eth1-resource
+spec:
+  attributes:
+    sriovnetwork.k8snetworkplumbingwg.io/resourceName:
+      string: "eth1_resource"
+---
+# 2. Policy selects devices and references attributes by label
 apiVersion: sriovnetwork.k8snetworkplumbingwg.io/v1alpha1
-kind: SriovResourceFilter
+kind: SriovResourcePolicy
 metadata:
-  name: example-filter
+  name: example-policy
   namespace: dra-sriov-driver
 spec:
   nodeSelector:
-    kubernetes.io/hostname: worker-node-1
+    nodeSelectorTerms:
+    - matchExpressions:
+      - key: kubernetes.io/hostname
+        operator: In
+        values:
+        - worker-node-1
   configs:
-  - resourceName: "eth0_resource"  
+  - deviceAttributesSelector:
+      matchLabels:
+        pool: eth0-resource
     resourceFilters:
     - vendors: ["8086"]           # Intel devices only
       pfNames: ["eth0"]           # Physical Function name
-  - resourceName: "eth1_resource"
-    resourceFilters:  
+  - deviceAttributesSelector:
+      matchLabels:
+        pool: eth1-resource
+    resourceFilters:
     - vendors: ["8086"]
       pfNames: ["eth1"]
       drivers: ["vfio-pci"]       # Only VFIO-bound devices
 ```
 
+Each `Config` entry pairs a `deviceAttributesSelector` (label selector matching `DeviceAttributes` objects) with `resourceFilters` (device hardware criteria). Devices matching the filters are advertised, and attributes from all matching `DeviceAttributes` objects are merged onto them.
+
 ### Filtering Criteria
 
 The resource filtering system supports multiple filtering criteria that can be combined:
@@ -173,40 +214,48 @@ The resource filtering system supports multiple filtering criteria that can be c
 - **pciAddresses**: Filter by specific PCI addresses
 - **pfNames**: Filter by Physical Function name (e.g., "eth0", "eth1")
 - **pfPciAddresses**: Filter by Physical Function PCI address
+- **drivers**: Filter by bound driver name (e.g., "vfio-pci", "igb_uio")
 
 ### Node Selection
 
-Use `nodeSelector` to target specific nodes:
+Use `nodeSelector` (a `v1.NodeSelector`) to target specific nodes. Omit it to match all nodes:
 
 ```yaml
 spec:
   nodeSelector:
-    kubernetes.io/hostname: specific-node
-    # or
-    node-type: sriov-enabled
-    # Empty nodeSelector matches all nodes
+    nodeSelectorTerms:
+    - matchExpressions:
+      - key: kubernetes.io/hostname
+        operator: In
+        values:
+        - specific-node
+    # Multiple terms are ORed; expressions within a term are ANDed
 ```
 
 ### Multiple Resource Types
 
-Define multiple resource configurations to create different pools of Virtual Functions:
+Define multiple configs to create different pools of Virtual Functions, each referencing a `DeviceAttributes` object via label selector:
 
 ```yaml
 spec:
   configs:
-  - resourceName: "high-performance"
+  - deviceAttributesSelector:
+      matchLabels:
+        pool: high-performance
     resourceFilters:
     - vendors: ["8086"]
       pfNames: ["eth0"]
-  - resourceName: "standard-networking"  
+  - deviceAttributesSelector:
+      matchLabels:
+        pool: standard-networking
     resourceFilters:
-    - vendors: ["8086"]  
+    - vendors: ["8086"]
       pfNames: ["eth1"]
 ```
 
-### Using Filtered Resources
+### Using Policy-Defined Resources
 
-Once a `SriovResourceFilter` is applied, pods can request specific resource types using CEL expressions:
+Once a `SriovResourcePolicy` is applied, devices matching the policy are advertised and pods can request specific resource types using CEL expressions:
 
 ```yaml
 apiVersion: resource.k8s.io/v1
@@ -299,11 +348,11 @@ Demonstrates requesting multiple Virtual Functions in a single resource claim:
 - VfConfig applies to all allocated VFs in the claim
 - Automatic interface naming (typically net1, net2, etc.)
 
-#### Resource Filtering (`demo/resource-filtering/`)  
-Shows how to use SriovResourceFilter for advanced device management:
-- Filter VFs based on vendor ID, Physical Function names, and hardware attributes
+#### Resource Policies (`demo/resource-policies/`)  
+Shows how to use SriovResourcePolicy for controlling device advertisement:
+- Advertise VFs based on vendor ID, Physical Function names, and hardware attributes
 - Multiple resource configurations for different network interfaces
-- Node-targeted filtering with selector support
+- Node-targeted policies with selector support
 
 #### VFIO Driver Configuration (`demo/vfio-driver/`)
 Illustrates VFIO-PCI driver configuration for userspace applications:
@@ -323,10 +372,10 @@ Illustrates VFIO-PCI driver configuration for userspace applications:
 │   └── dra-driver-sriov/          # Main driver executable
 ├── pkg/
 │   ├── driver/                    # Core driver implementation
-│   ├── controller/                # Kubernetes controller for resource filtering
+│   ├── controller/                # Kubernetes controller for resource policies
 │   ├── devicestate/               # Device state management and discovery
 │   ├── api/                       # API definitions
-│   │   ├── sriovdra/v1alpha1/     # SriovResourceFilter CRD definitions
+│   │   ├── sriovdra/v1alpha1/     # SriovResourcePolicy and DeviceAttributes CRD definitions
 │   │   └── virtualfunction/v1alpha1/ # Virtual Function API types
 │   ├── cdi/                       # CDI integration
 │   ├── cni/                       # CNI plugin integration
@@ -342,8 +391,8 @@ Illustrates VFIO-PCI driver configuration for userspace applications:
 ├── demo/                          # Example workload configurations
 │   ├── single-vf-claim/           # Single VF allocation example
 │   ├── multiple-vf-claim/         # Multiple VF allocation example
-│   ├── resource-filtering/        # Resource filtering configuration example
-│   └── vfio-driver/              # VFIO-PCI driver configuration example
+│   ├── resource-policies/         # Resource policy configuration example
+│   └── vfio-driver/               # VFIO-PCI driver configuration example
 ├── hack/                          # Build and development scripts
 ├── test/                          # Test suites
 └── vendor/                        # Go module dependencies
@@ -352,9 +401,10 @@ Illustrates VFIO-PCI driver configuration for userspace applications:
 ### Key Components
 
 - **Driver**: Main gRPC service implementing DRA kubelet plugin interface
-- **Resource Filter Controller**: Kubernetes controller managing SriovResourceFilter lifecycle and device filtering
-- **Device State Manager**: Tracks available and allocated SR-IOV virtual functions with filtering support
-- **SriovResourceFilter CRD**: Custom resource for defining device filtering policies  
+- **Resource Policy Controller**: Kubernetes controller managing SriovResourcePolicy lifecycle and device advertisement
+- **Device State Manager**: Tracks available and allocated SR-IOV virtual functions
+- **SriovResourcePolicy CRD**: Custom resource for defining device advertisement policies (opt-in model)
+- **DeviceAttributes CRD**: Custom resource for defining arbitrary attributes applied to policy-matched devices via label selectors
 - **CDI Generator**: Creates Container Device Interface specifications for VFs
 - **NRI Plugin**: Node Resource Interface integration for container runtime interaction
 - **Pod Manager**: Manages pod lifecycle and resource allocation
 
@@ -86,7 +86,7 @@ func newApp() *cli.App {
 		},
 		&cli.StringFlag{
 			Name:        "namespace",
-			Usage:       "Namespace where the driver should watch for SriovResourceFilter resources.",
+			Usage:       "Namespace where the driver should watch for SriovResourcePolicy resources.",
 			Value:       "dra-sriov-driver",
 			Destination: &flagsOptions.Namespace,
 			EnvVars:     []string{"NAMESPACE"},
@@ -188,11 +188,11 @@ func RunPlugin(ctx context.Context, config *types.Config) error {
 
 	logger.Info("Configuring controller manager", "namespace", config.Flags.Namespace)
 
-	// Configure cache to only watch resources in the specified namespace for SriovResourceFilter
+	// Configure cache to only watch resources in the specified namespace for SriovResourcePolicy
 	// while allowing cluster-wide access for other resources like Nodes
 	cacheOpts := cache.Options{
 		ByObject: map[client.Object]cache.ByObject{
-			&sriovdrav1alpha1.SriovResourceFilter{}: {
+			&sriovdrav1alpha1.SriovResourcePolicy{}: {
 				Namespaces: map[string]cache.Config{
 					config.Flags.Namespace: {},
 				},
@@ -209,10 +209,10 @@ func RunPlugin(ctx context.Context, config *types.Config) error {
 		return fmt.Errorf("failed to create controller manager: %w", err)
 	}
 
-	// create and setup resource filter controller
-	resourceFilterController := controller.NewSriovResourceFilterReconciler(config.K8sClient.Client, config.Flags.NodeName, config.Flags.Namespace, deviceStateManager)
-	if err := resourceFilterController.SetupWithManager(mgr); err != nil {
-		return fmt.Errorf("failed to setup resource filter controller: %w", err)
+	// create and setup resource policy controller
+	resourcePolicyController := controller.NewSriovResourcePolicyReconciler(config.K8sClient.Client, config.Flags.NodeName, config.Flags.Namespace, deviceStateManager)
+	if err := resourcePolicyController.SetupWithManager(mgr); err != nil {
+		return fmt.Errorf("failed to setup resource policy controller: %w", err)
 	}
 
 	// start controller manager
 
@@ -21,8 +21,8 @@ In both cases, the scheduler transparently creates a ResourceClaim with an `Exac
 
 ## Components
 
-### 1. SriovResourceFilter (Dual-Port)
-The `SriovResourceFilter` defines two resource groups — one per physical NIC port:
+### 1. SriovResourcePolicy (Dual-Port)
+The `SriovResourcePolicy` defines two resource groups — one per physical NIC port:
 - **port1-vfs**: VFs on PCI bus `08:00.{2,3,4,5}`
 - **port2-vfs**: VFs on PCI bus `08:02.{2,3,4,5}`
 
@@ -52,7 +52,7 @@ Pods use standard `resources.requests` / `resources.limits` — no `resourceClai
                     deviceclass.yaml
 ┌──────────────────────────────────────────────────────────┐
 │                                                          │
-│  SriovResourceFilter "dual-port-vfs"                     │
+│  SriovResourcePolicy "dual-port-vfs"                     │
 │  ┌───────────────────┐  ┌───────────────────┐            │
 │  │ port1-vfs         │  │ port2-vfs         │            │
 │  │ 08:00.{2,3,4,5}   │  │ 08:02.{2,3,4,5}   │            │
@@ -91,7 +91,7 @@ Extended resource allocation is ideal for:
 
 ## Usage
 
-1. Deploy the DeviceClasses, SriovResourceFilter, and NetworkAttachmentDefinitions:
+1. Deploy the DeviceClasses, SriovResourcePolicy, and NetworkAttachmentDefinitions:
    ```bash
    kubectl apply -f deviceclass.yaml
    ```
@@ -167,7 +167,7 @@ The other demos in this repository (`single-vf-claim/`, `resourceclaim/`, `vfio-
 
 ### Changing PCI Addresses
 
-Update the `SriovResourceFilter` in `deviceclass.yaml` with your actual VF PCI addresses:
+Update the `SriovResourcePolicy` in `deviceclass.yaml` with your actual VF PCI addresses:
 
 ```bash
 # Find VF PCI addresses on your host
 
@@ -1,20 +1,49 @@
-# SriovResourceFilter with two configs — one per physical port
+# DeviceAttributes for port 1
 apiVersion: sriovnetwork.k8snetworkplumbingwg.io/v1alpha1
-kind: SriovResourceFilter
+kind: DeviceAttributes
+metadata:
+  name: port1-attrs
+  namespace: dra-sriov-driver
+  labels:
+    pool: port1-vfs
+spec:
+  attributes:
+    sriovnetwork.k8snetworkplumbingwg.io/resourceName:
+      string: "port1-vfs"
+---
+# DeviceAttributes for port 2
+apiVersion: sriovnetwork.k8snetworkplumbingwg.io/v1alpha1
+kind: DeviceAttributes
+metadata:
+  name: port2-attrs
+  namespace: dra-sriov-driver
+  labels:
+    pool: port2-vfs
+spec:
+  attributes:
+    sriovnetwork.k8snetworkplumbingwg.io/resourceName:
+      string: "port2-vfs"
+---
+# SriovResourcePolicy with two configs — one per physical port
+apiVersion: sriovnetwork.k8snetworkplumbingwg.io/v1alpha1
+kind: SriovResourcePolicy
 metadata:
   name: dual-port-vfs
-  namespace: dra-sriov-system
+  namespace: dra-sriov-driver
 spec:
-  nodeSelector: {}
   configs:
-  - resourceName: "port1-vfs"
+  - deviceAttributesSelector:
+      matchLabels:
+        pool: port1-vfs
     resourceFilters:
     - pciAddresses:
       - "0000:08:00.2"
       - "0000:08:00.3"
       - "0000:08:00.4"
       - "0000:08:00.5"
-  - resourceName: "port2-vfs"
+  - deviceAttributesSelector:
+      matchLabels:
+        pool: port2-vfs
     resourceFilters:
     - pciAddresses:
       - "0000:08:02.2"