enhancements: Downward API

[oshoval]

This enhancement provides containers with access to Dynamic Resource Allocation (DRA)
device attributes and networking information through files mounted into the container filesystem.
This allows applications to discover allocated SR-IOV VF attributes,
networking configuration, and CNI results without querying the Kubernetes API.

See kubernetes/enhancements#5606
Until it is part of K8s, implement it by the driver.

Thanks @SchSeba for the solution and co-op

Summary by CodeRabbit

Documentation

• Added documentation for the DRA Attributes Downward API, detailing how device attributes and networking information are exposed to containers, including file paths, JSON schema structure, implementation workflow, and lifecycle management.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

A new documentation file is added describing the DRA Attributes Downward API. The document outlines how DRA device attributes and networking information are exposed to containers via mounted JSON files, including node- and container-level paths, JSON schema structure, implementation workflow, lifecycle, and future considerations.

Changes

Cohort / File(s)	Summary
Documentation enhancements/DownwardAPI.md	New file documenting DRA Attributes Downward API with details on file paths, JSON schema, implementation workflow (CDI mounts, NRI file writes, container runtime mounting), lifecycle management, and future enhancement considerations

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'enhancements: Downward API' directly corresponds to the PR content, which adds documentation for the DRA Attributes Downward API. However, it is quite generic and doesn't capture the specific nature of the change (adding documentation rather than code implementation).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Pull Request Test Coverage Report for Build 20714636028

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 42.872%

---

Totals
Change from base Build 20620077521:	0.0%
Covered Lines:	1266
Relevant Lines:	2953

---

💛 - Coveralls

[oshoval]

cc @SchSeba

Thanks for the co-op on this

[coderabbitai]

Actionable comments posted: 2

Fix all issues with AI Agents 🤖

In @enhancements/DownwardAPI.md:
- Around line 19-20: The second fenced code block containing the line
"/etc/dra/<claimName>.<requestName>.json" is missing a language specifier;
update that fence to include a language (e.g., replace the opening ``` with
```text) so the block becomes a ```text fenced block to satisfy markdown
linting.
- Around line 13-15: Update the fenced code block that contains the path
"/etc/dra/<pod_uid>/<claimName>.<requestName>.json" to include a language
specifier (e.g., add "text" after the opening backticks) so the block becomes a
proper markdown code fence with language declared.

🧹 Nitpick comments (1)

enhancements/DownwardAPI.md (1)

1-124: Documentation is clear and well-structured overall.

The file effectively explains the downward API design, includes a practical JSON schema example, and references the upstream KEP. Consider enhancing it with:

1. Error handling: What happens if files aren't available or fail to mount? Should applications gracefully handle missing files?
2. File permissions: What are the expected ownership and permissions for these files?
3. Application consumption: A brief example showing how an application would parse and use these files.
4. Security considerations: Any sensitive data concerns with exposing device attributes and networking information?

These additions would make the documentation more actionable for developers implementing against this API.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 423e878 and aeefcc5.

📒 Files selected for processing (1)

• enhancements/DownwardAPI.md

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

enhancements/DownwardAPI.md

13-13: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

19-19: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Unit Tests
• GitHub Check: Build Container
• GitHub Check: Lint

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language specification to fenced code block.

The first code block lacks a language specifier, which is flagged by markdown linting rules.

🔎 Proposed fix

-```
+```text
 /etc/dra/<pod_uid>/<claimName>.<requestName>.json
-```
+```

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

13-13: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In @enhancements/DownwardAPI.md around lines 13-15, Update the fenced code block
that contains the path "/etc/dra/<pod_uid>/<claimName>.<requestName>.json" to
include a language specifier (e.g., add "text" after the opening backticks) so
the block becomes a proper markdown code fence with language declared.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language specification to fenced code block.

The second code block lacks a language specifier, which is flagged by markdown linting rules.

🔎 Proposed fix

-```
+```text
 /etc/dra/<claimName>.<requestName>.json
-```
+```

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	```
	/etc/dra/<claimName>.<requestName>.json

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

19-19: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In @enhancements/DownwardAPI.md around lines 19-20, The second fenced code block
containing the line "/etc/dra/<claimName>.<requestName>.json" is missing a
language specifier; update that fence to include a language (e.g., replace the
opening ``` with ```text) so the block becomes a ```text fenced block to satisfy
markdown linting.

[oshoval]

do we need to add here type ? for example network 0x as we discussed for SR-IOV ?
(btw not sure today Kubevirt is protected in this aspect of device mixing)

[oshoval]

note that the example below doesn't adhere to it, so we need to raise it on the KEP or align here,
since as we spoke each clainName, requestName tuple can belong to a different driver, so we need a separate file per tuple or at least per driver ?
(while the example belows shows one file for all the requests)

[alaypatel07]

@oshoval @SchSeba PTAL at the latest commit: kubernetes/enhancements@9ef91a9

Based on @SchSeba's inputs on data arriving later then DRA hook, I added some changes to the design, summary of it is here:

1. when a driver supporting downward API has started, it create an empty file at ${cdiMount}/.supported/${driverName}
2. when driver sees the claim, it will create the ${cdiMount}/${claimNamespace}-${claimName} directory and populate the ${cdiMount}/${claimNamespace}-${claimName}/driverNames files and initial version of ${cdiMount}/${claimNamespace}-${claimName}/metadata.json
3. when driver wants to update metadata.json, it calls d.metadataWriter.WriteDeviceMetadata. This library function will encode the data and update generationNumber.

The directory structure combined with generationNumber allows the application to:

1. look at the claims and see if the drivers for devices in the claim is supporting downward API metadata.
2. when the data becomes available, generation number helps application to watch/poll for changes and identify them even if they arrive later then the DRA hook.

[alaypatel07]

Also to be completely transparent, I need to spend more time in modeling this data: https://github.com/k8snetworkplumbingwg/dra-driver-sriov/pull/62/files#diff-e1130a488ec53121cb29a9b728dd15975a800ed1aab63867239265f2710e5ae7R41, its WIP. The plan is to get it into good enough state and get api-review so we can maintain this longterm, so please expect some changes here.

[oshoval]

Thanks @alaypatel07
I think that the POC we did here and tested locally in a loop, shows the data is available during the NRI,
and the race that we were afraid from won't happen iiuc?
@SchSeba please keep me honest here.
#59
(it is closed because it will be reopened by Sebastian with the new file structure)
The CDI prepares the manifest with folder mount as you said.
NRI writes the file directly after CNI returns the result, before the RunPodSandbox returns.
So once the container starts CreateContainer, it has the information.
Well at least for the driver this is the case, if it helps, can k8s do the same ?

Note: the above is not related to the fact NRI is not blocking and has 2 seconds timeout, for this Sebastian and Antonio discussed Machine config solution to increase the time.

[oshoval]

cc @SchSeba @aojea @alaypatel07 @EdDev

beside the PR, please see also
#62 (comment) - about adding device type
#62 (comment) (solved as part of the KEP iiuc, once it is we will update here)

Even if we dont need #62 (comment)
at the end, because the sandbox has the data, maybe generationNumber is still needed in order to detect hotplug ?

[oshoval]

Hi @SchSeba @alaypatel07

i wonder if we should just wait for KEP 5606 instead develop the downwardAPI by the SR-IOV driver meanwhile,
it seems duplication

moreover @alaypatel07
lets sync please once we get to it about consuming the downwardAPI on Kubevirt, since we will need it on several places, i.e on kubevirt/enhancements#155 and also on network dra devices VEP amendment.
So we also have there duplication, lets at least sync before adding it to the code please.

[oshoval]

Hi @SchSeba
would you like and able to take it from here please ?
the design + implementation

Thanks !