node-feature-discovery/nfd-daemonset-combined.yaml.template

# This template contains an example of running nfd-master and nfd-worker in the
# same pod.
#
apiVersion: v1
kind: Namespace
metadata:
  name: node-feature-discovery # NFD namespace
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nfd-master
  namespace: node-feature-discovery
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: nfd-master
rules:
- apiGroups:
  - ""
  resources:
  - nodes
# when using command line flag --resource-labels to create extended resources
# you will need to uncomment "- nodes/status"
# - nodes/status
  verbs:
  - get
  - patch
  - update
  # List only needed for --prune
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: nfd-master
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nfd-master
subjects:
- kind: ServiceAccount
  name: nfd-master
  namespace: node-feature-discovery
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    app: nfd
  name: nfd
  namespace: node-feature-discovery
spec:
  selector:
    matchLabels:
      app: nfd
  template:
    metadata:
      labels:
        app: nfd
    spec:
      serviceAccount: nfd-master
      containers:
        - env:
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
          image: k8s.gcr.io/nfd/node-feature-discovery:v0.7.0
          name: nfd-master
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]
            readOnlyRootFilesystem: true
            runAsNonRoot: true
          command:
            - "nfd-master"
        - env:
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
          image: k8s.gcr.io/nfd/node-feature-discovery:v0.7.0
          name: nfd-worker
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]
            readOnlyRootFilesystem: true
            runAsNonRoot: true
          command:
            - "nfd-worker"
          args:
            - "--sleep-interval=60s"
          volumeMounts:
            - name: host-boot
              mountPath: "/host-boot"
              readOnly: true
            - name: host-os-release
              mountPath: "/host-etc/os-release"
              readOnly: true
            - name: host-sys
              mountPath: "/host-sys"
              readOnly: true
            - name: source-d
              mountPath: "/etc/kubernetes/node-feature-discovery/source.d/"
              readOnly: true
            - name: features-d
              mountPath: "/etc/kubernetes/node-feature-discovery/features.d/"
              readOnly: true
            - name: nfd-worker-conf
              mountPath: "/etc/kubernetes/node-feature-discovery"
              readOnly: true
      volumes:
        - name: host-boot
          hostPath:
            path: "/boot"
        - name: host-os-release
          hostPath:
            path: "/etc/os-release"
        - name: host-sys
          hostPath:
            path: "/sys"
        - name: source-d
          hostPath:
            path: "/etc/kubernetes/node-feature-discovery/source.d/"
        - name: features-d
          hostPath:
            path: "/etc/kubernetes/node-feature-discovery/features.d/"
        - name: nfd-worker-conf
          configMap:
            name: nfd-worker-conf
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nfd-worker-conf
  namespace: node-feature-discovery
data:
  nfd-worker.conf: |
    #sources:
    #  cpu:
    #    cpuid:
    ##     NOTE: whitelist has priority over blacklist
    #      attributeBlacklist:
    #        - "BMI1"
    #        - "BMI2"
    #        - "CLMUL"
    #        - "CMOV"
    #        - "CX16"
    #        - "ERMS"
    #        - "F16C"
    #        - "HTT"
    #        - "LZCNT"
    #        - "MMX"
    #        - "MMXEXT"
    #        - "NX"
    #        - "POPCNT"
    #        - "RDRAND"
    #        - "RDSEED"
    #        - "RDTSCP"
    #        - "SGX"
    #        - "SSE"
    #        - "SSE2"
    #        - "SSE3"
    #        - "SSE4.1"
    #        - "SSE4.2"
    #        - "SSSE3"
    #      attributeWhitelist:
    #  kernel:
    #    kconfigFile: "/path/to/kconfig"
    #    configOpts:
    #      - "NO_HZ"
    #      - "X86"
    #      - "DMI"
    #  pci:
    #    deviceClassWhitelist:
    #      - "0200"
    #      - "03"
    #      - "12"
    #    deviceLabelFields:
    #      - "class"
    #      - "vendor"
    #      - "device"
    #      - "subsystem_vendor"
    #      - "subsystem_device"
    #  usb:
    #    deviceClassWhitelist:
    #      - "0e"
    #      - "ef"
    #      - "fe"
    #      - "ff"
    #    deviceLabelFields:
    #      - "class"
    #      - "vendor"
    #      - "device"
    #  custom:
    #    - name: "my.kernel.feature"
    #      matchOn:
    #        - loadedKMod: ["example_kmod1", "example_kmod2"]
    #    - name: "my.pci.feature"
    #      matchOn:
    #        - pciId:
    #            class: ["0200"]
    #            vendor: ["15b3"]
    #            device: ["1014", "1017"]
    #        - pciId :
    #            vendor: ["8086"]
    #            device: ["1000", "1100"]
    #    - name: "my.usb.feature"
    #      matchOn:
    #        - usbId:
    #          class: ["ff"]
    #          vendor: ["03e7"]
    #          device: ["2485"]
    #        - usbId:
    #          class: ["fe"]
    #          vendor: ["1a6e"]
    #          device: ["089a"]
    #    - name: "my.combined.feature"
    #      matchOn:
    #        - pciId:
    #            vendor: ["15b3"]
    #            device: ["1014", "1017"]
    #          loadedKMod : ["vendor_kmod1", "vendor_kmod2"]
Add template spec for running master and worker in the same pod Makes deployment simpler, but, "softens" the setup by basically giving nodes the capability to label themselves. 2019-01-29 09:20:09 +00:00			`# This template contains an example of running nfd-master and nfd-worker in the`
			`# same pod.`
			`#`
			`apiVersion: v1`
Add nfd namespace to the daemonset-combined deployment template Without this the nfd namespace is not created and the deployment may fail. 2019-11-21 09:10:50 +00:00			`kind: Namespace`
			`metadata:`
			`name: node-feature-discovery # NFD namespace`
			`---`
			`apiVersion: v1`
Add template spec for running master and worker in the same pod Makes deployment simpler, but, "softens" the setup by basically giving nodes the capability to label themselves. 2019-01-29 09:20:09 +00:00			`kind: ServiceAccount`
			`metadata:`
			`name: nfd-master`
Makefile: create default yamls, configurable namespace - Create default yamls for deploying master and worker. - Use kube-system namespace by default. - Configurable namespace: make IMAGE_REGISTRY=myhost:5000 K8S_NAMESPACE=my-nfd-devel 2019-05-28 14:13:52 +00:00			`namespace: node-feature-discovery`
Add template spec for running master and worker in the same pod Makes deployment simpler, but, "softens" the setup by basically giving nodes the capability to label themselves. 2019-01-29 09:20:09 +00:00			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: nfd-master`
			`rules:`
			`- apiGroups:`
			`- ""`
			`resources:`
			`- nodes`
Sync ClusterRole in deployment templates 2020-11-20 15:18:26 +00:00			`# when using command line flag --resource-labels to create extended resources`
			`# you will need to uncomment "- nodes/status"`
			`# - nodes/status`
Add template spec for running master and worker in the same pod Makes deployment simpler, but, "softens" the setup by basically giving nodes the capability to label themselves. 2019-01-29 09:20:09 +00:00			`verbs:`
			`- get`
			`- patch`
			`- update`
Sync ClusterRole in deployment templates 2020-11-20 15:18:26 +00:00			`# List only needed for --prune`
			`- list`
Add template spec for running master and worker in the same pod Makes deployment simpler, but, "softens" the setup by basically giving nodes the capability to label themselves. 2019-01-29 09:20:09 +00:00			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: nfd-master`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: nfd-master`
			`subjects:`
			`- kind: ServiceAccount`
			`name: nfd-master`
Makefile: create default yamls, configurable namespace - Create default yamls for deploying master and worker. - Use kube-system namespace by default. - Configurable namespace: make IMAGE_REGISTRY=myhost:5000 K8S_NAMESPACE=my-nfd-devel 2019-05-28 14:13:52 +00:00			`namespace: node-feature-discovery`
Add template spec for running master and worker in the same pod Makes deployment simpler, but, "softens" the setup by basically giving nodes the capability to label themselves. 2019-01-29 09:20:09 +00:00			`---`
			`apiVersion: apps/v1`
			`kind: DaemonSet`
			`metadata:`
			`labels:`
			`app: nfd`
			`name: nfd`
Makefile: create default yamls, configurable namespace - Create default yamls for deploying master and worker. - Use kube-system namespace by default. - Configurable namespace: make IMAGE_REGISTRY=myhost:5000 K8S_NAMESPACE=my-nfd-devel 2019-05-28 14:13:52 +00:00			`namespace: node-feature-discovery`
Add template spec for running master and worker in the same pod Makes deployment simpler, but, "softens" the setup by basically giving nodes the capability to label themselves. 2019-01-29 09:20:09 +00:00			`spec:`
			`selector:`
			`matchLabels:`
			`app: nfd`
			`template:`
			`metadata:`
			`labels:`
			`app: nfd`
			`spec:`
			`serviceAccount: nfd-master`
			`containers:`
			`- env:`
			`- name: NODE_NAME`
			`valueFrom:`
			`fieldRef:`
			`fieldPath: spec.nodeName`
Update references to v0.7.0 Generated semi-automagically by running $ scripts/prepare-release.sh v0.7.0 2020-12-04 14:26:14 +00:00			`image: k8s.gcr.io/nfd/node-feature-discovery:v0.7.0`
Add template spec for running master and worker in the same pod Makes deployment simpler, but, "softens" the setup by basically giving nodes the capability to label themselves. 2019-01-29 09:20:09 +00:00			`name: nfd-master`
Add container security context to the sample deployment specs Run under strict rules. We shouldn't need any special privileges. 2020-05-28 12:16:15 +00:00			`securityContext:`
			`allowPrivilegeEscalation: false`
			`capabilities:`
			`drop: ["ALL"]`
			`readOnlyRootFilesystem: true`
			`runAsNonRoot: true`
Add template spec for running master and worker in the same pod Makes deployment simpler, but, "softens" the setup by basically giving nodes the capability to label themselves. 2019-01-29 09:20:09 +00:00			`command:`
			`- "nfd-master"`
			`- env:`
			`- name: NODE_NAME`
			`valueFrom:`
			`fieldRef:`
			`fieldPath: spec.nodeName`
Update references to v0.7.0 Generated semi-automagically by running $ scripts/prepare-release.sh v0.7.0 2020-12-04 14:26:14 +00:00			`image: k8s.gcr.io/nfd/node-feature-discovery:v0.7.0`
Add template spec for running master and worker in the same pod Makes deployment simpler, but, "softens" the setup by basically giving nodes the capability to label themselves. 2019-01-29 09:20:09 +00:00			`name: nfd-worker`
Add container security context to the sample deployment specs Run under strict rules. We shouldn't need any special privileges. 2020-05-28 12:16:15 +00:00			`securityContext:`
			`allowPrivilegeEscalation: false`
			`capabilities:`
			`drop: ["ALL"]`
			`readOnlyRootFilesystem: true`
			`runAsNonRoot: true`
Add template spec for running master and worker in the same pod Makes deployment simpler, but, "softens" the setup by basically giving nodes the capability to label themselves. 2019-01-29 09:20:09 +00:00			`command:`
			`- "nfd-worker"`
			`args:`
			`- "--sleep-interval=60s"`
			`volumeMounts:`
			`- name: host-boot`
			`mountPath: "/host-boot"`
			`readOnly: true`
			`- name: host-os-release`
			`mountPath: "/host-etc/os-release"`
			`readOnly: true`
			`- name: host-sys`
			`mountPath: "/host-sys"`
Make all mounts in deployment templates read-only NFD-Worker does not need write access. 2020-11-20 09:32:33 +00:00			`readOnly: true`
Mount source.d and features.d in template YAMLs Signed-off-by: Jordan Jacobelli <jjacobelli@nvidia.com> 2019-04-20 00:21:38 +00:00			`- name: source-d`
			`mountPath: "/etc/kubernetes/node-feature-discovery/source.d/"`
Make all mounts in deployment templates read-only NFD-Worker does not need write access. 2020-11-20 09:32:33 +00:00			`readOnly: true`
Mount source.d and features.d in template YAMLs Signed-off-by: Jordan Jacobelli <jjacobelli@nvidia.com> 2019-04-20 00:21:38 +00:00			`- name: features-d`
			`mountPath: "/etc/kubernetes/node-feature-discovery/features.d/"`
Make all mounts in deployment templates read-only NFD-Worker does not need write access. 2020-11-20 09:32:33 +00:00			`readOnly: true`
Add nfd-worker-conf ConfigMap to deployment templates Add a virtually empty ConfigMap that is mounted inside the workers. Makes it easier to start customizing the worker deployment e.g. with just: $ kubectl -n ${NFD_NS} edit configmap nfd-worker-conf Create a new 'templates' make target for inserting the content of nfd-worker.conf.example into the configmap spec of the templates. Thus, 'make templates' should be run whenever the example config is update. Update the verify.sh prow script to check that the templates are up to date. This patch also streamlines the documentation about configuration management, reflecting the changes. 2020-11-18 09:35:20 +00:00			`- name: nfd-worker-conf`
			`mountPath: "/etc/kubernetes/node-feature-discovery"`
			`readOnly: true`
Add template spec for running master and worker in the same pod Makes deployment simpler, but, "softens" the setup by basically giving nodes the capability to label themselves. 2019-01-29 09:20:09 +00:00			`volumes:`
			`- name: host-boot`
			`hostPath:`
			`path: "/boot"`
			`- name: host-os-release`
			`hostPath:`
			`path: "/etc/os-release"`
			`- name: host-sys`
			`hostPath:`
			`path: "/sys"`
Mount source.d and features.d in template YAMLs Signed-off-by: Jordan Jacobelli <jjacobelli@nvidia.com> 2019-04-20 00:21:38 +00:00			`- name: source-d`
			`hostPath:`
			`path: "/etc/kubernetes/node-feature-discovery/source.d/"`
			`- name: features-d`
			`hostPath:`
			`path: "/etc/kubernetes/node-feature-discovery/features.d/"`
Add nfd-worker-conf ConfigMap to deployment templates Add a virtually empty ConfigMap that is mounted inside the workers. Makes it easier to start customizing the worker deployment e.g. with just: $ kubectl -n ${NFD_NS} edit configmap nfd-worker-conf Create a new 'templates' make target for inserting the content of nfd-worker.conf.example into the configmap spec of the templates. Thus, 'make templates' should be run whenever the example config is update. Update the verify.sh prow script to check that the templates are up to date. This patch also streamlines the documentation about configuration management, reflecting the changes. 2020-11-18 09:35:20 +00:00			`- name: nfd-worker-conf`
			`configMap:`
			`name: nfd-worker-conf`
			`---`
			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: nfd-worker-conf`
			`namespace: node-feature-discovery`
			`data:`
			`nfd-worker.conf: \|`
			`#sources:`
			`# cpu:`
			`# cpuid:`
			`## NOTE: whitelist has priority over blacklist`
			`# attributeBlacklist:`
			`# - "BMI1"`
			`# - "BMI2"`
			`# - "CLMUL"`
			`# - "CMOV"`
			`# - "CX16"`
			`# - "ERMS"`
			`# - "F16C"`
			`# - "HTT"`
			`# - "LZCNT"`
			`# - "MMX"`
			`# - "MMXEXT"`
			`# - "NX"`
			`# - "POPCNT"`
			`# - "RDRAND"`
			`# - "RDSEED"`
			`# - "RDTSCP"`
			`# - "SGX"`
			`# - "SSE"`
			`# - "SSE2"`
			`# - "SSE3"`
			`# - "SSE4.1"`
			`# - "SSE4.2"`
			`# - "SSSE3"`
			`# attributeWhitelist:`
			`# kernel:`
			`# kconfigFile: "/path/to/kconfig"`
			`# configOpts:`
			`# - "NO_HZ"`
			`# - "X86"`
			`# - "DMI"`
			`# pci:`
			`# deviceClassWhitelist:`
			`# - "0200"`
			`# - "03"`
			`# - "12"`
			`# deviceLabelFields:`
			`# - "class"`
			`# - "vendor"`
			`# - "device"`
			`# - "subsystem_vendor"`
			`# - "subsystem_device"`
			`# usb:`
			`# deviceClassWhitelist:`
			`# - "0e"`
			`# - "ef"`
			`# - "fe"`
			`# - "ff"`
			`# deviceLabelFields:`
			`# - "class"`
			`# - "vendor"`
			`# - "device"`
			`# custom:`
			`# - name: "my.kernel.feature"`
			`# matchOn:`
			`# - loadedKMod: ["example_kmod1", "example_kmod2"]`
			`# - name: "my.pci.feature"`
			`# matchOn:`
			`# - pciId:`
			`# class: ["0200"]`
			`# vendor: ["15b3"]`
			`# device: ["1014", "1017"]`
			`# - pciId :`
			`# vendor: ["8086"]`
			`# device: ["1000", "1100"]`
			`# - name: "my.usb.feature"`
			`# matchOn:`
			`# - usbId:`
			`# class: ["ff"]`
			`# vendor: ["03e7"]`
			`# device: ["2485"]`
			`# - usbId:`
			`# class: ["fe"]`
			`# vendor: ["1a6e"]`
			`# device: ["089a"]`
			`# - name: "my.combined.feature"`
			`# matchOn:`
			`# - pciId:`
			`# vendor: ["15b3"]`
			`# device: ["1014", "1017"]`
			`# loadedKMod : ["vendor_kmod1", "vendor_kmod2"]`