feat(discovery+openshell): DNS-AID agent discovery with OpenShell policy enforcement#469
Open
IngmarVG-IB wants to merge 4 commits intoNVIDIA:mainfrom
Open
feat(discovery+openshell): DNS-AID agent discovery with OpenShell policy enforcement#469IngmarVG-IB wants to merge 4 commits intoNVIDIA:mainfrom
IngmarVG-IB wants to merge 4 commits intoNVIDIA:mainfrom
Conversation
Introduce pkg/discovery for DNS-AID based agent discovery using SVCB records (RFC 9460) with private-use SvcParamKeys per draft-mozleywilliams-dnsop-dnsaid-01. Agents publish themselves via K8s ConfigMaps and discover peers through DNS lookups. - pkg/discovery: Discoverer (DNS SVCB resolver), Publisher (K8s ConfigMap-based registration), SVCB parser for keys 65400-65408 - pkg/server: WithOnStart/WithOnShutdown lifecycle hooks as functional options, executed during server start/shutdown respectively - pkg/api: /v1/agents endpoint listing discovered agents in a domain, with input validation and feature-gated via AICR_DISCOVERY_ENABLED - pkg/defaults: discovery timeout constants and ServerDefaultPort
|
Welcome to AICR, @IngmarVG-IB! Thanks for your first pull request. Before review, please ensure:
A maintainer will review this soon. |
Strip rdatapolicy plugin mentions from pkg/discovery doc comments and the k8s-discovery agent definition. These features are under embargo and should not be referenced in public code.
OpenShell evaluates target agents' policy documents (served at their dns-aid-core policy URI, SvcParamKey 65403) as Layer 1 caller-side enforcement before allowing connections. This completes the security story: "OpenShell secures the agent boundary; DNS-AID resolves what's inside it." New pkg/openshell package implements: - All 16 native policy rules matching dns-aid-core's PolicyDocument schema - Three enforcement modes: strict (deny), permissive (log, default), disabled - Fail-open on policy fetch errors (matches dns-aid-core behavior) - SSRF-protected fetcher with HTTPS-only, private IP rejection - TTL-based cache with bounded eviction and singleflight coalescing - Enforcement layer filtering (Layer 0/1/2 per rule) - Realm isolation detection with cross-realm access logging Integration: - /v1/agents endpoint evaluates OpenShell policy per discovered agent - OPENSHELL_MODE env var controls enforcement (strict/permissive/disabled) - Guard accepts nil safely — zero behavioral change when discovery disabled New error codes: POLICY_DENIED, POLICY_FETCH New defaults: PolicyFetchTimeout (3s), PolicyCacheTTL (5m), PolicyMaxBytes (64KB) Test coverage: 84.2% (30 tests across evaluator, fetcher, guard)
IngmarVG-IB
changed the title
Signed-off-by: Mark Chmarny <mchmarny@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/v1/agentsendpoint with feature gatingStory: "OpenShell secures the agent boundary; DNS-AID resolves what's inside it."
Motivation / Context
AICR agents in Kubernetes need a standard discovery layer to find peers and a security boundary to control which connections are permitted. DNS-AID provides discovery via DNS SVCB lookups; OpenShell evaluates target agents' published policy documents before allowing the calling agent to connect.
Type of Change
Component(s) Affected
/v1/agentsendpoint)pkg/discovery,pkg/openshell,pkg/errors,pkg/defaults)Implementation Notes
DNS-AID Discovery (
pkg/discovery/)Discoverer: DNS SVCB queries for_{name}._{protocol}._agents.{domain}Publisher: K8s ConfigMap-based agent registration with create-or-update semantics_agents.{domain}for listing all agentsOnStart/OnShutdown) for auto-publish/deregisterAICR_DISCOVERY_ENABLED=trueOpenShell Policy Enforcement (
pkg/openshell/)strict(deny on violation),permissive(log + allow, default),disabledOPENSHELL_MODEenv var with startup validationIntegration
/v1/agentsevaluates OpenShell policy for each discovered agent with a policy URInil— zero behavioral change when discovery is disabledPOLICY_DENIED,POLICY_FETCHPolicyFetchTimeout(3s),PolicyCacheTTL(5m),PolicyMaxBytes(64KB)Key Design Decisions
major.minoras integers (not lexicographic) to correctly handle versions like1.12.Testing
pkg/openshell: 84.2% coverage (30 tests)pkg/discovery: Mock DNS server tests for SVCB parsing, index listing, publisherpkg/api: Handler tests with nil guard, domain validation, empty indexRisk Assessment
Medium — New packages with no existing consumers beyond the
/v1/agentsendpoint. Feature-gated behindAICR_DISCOVERY_ENABLEDandOPENSHELL_MODEenv vars, so zero impact on existing functionality when disabled. Default mode ispermissive(log-only), providing a safe rollout path.Checklist
-racego vetclean,gofmtclean)pkg/errors, slog,pkg/defaults)git commit -S)