mirrors/node-feature-discovery
mirrors/node-feature-discovery
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/node-feature-discovery.git synced 2025-03-31 04:04:51 +00:00
Code Activity

Add support running with OwnerReferencesPermissionEnforcement

Browse source 
when OwnerReferencesPermissionEnforcement validating webhook is
enabled additional permissions are required to set/update owner ref
field. NFD worker sets/updates NodeFeature owner ref field to
the worker pod and owning daemonset.

owner reference can only be updated if the worker has delete permissions
for NodeFeatures.

if owner reference has blockOwnerDeletion (as the case for the daemonset
owner reference) then it requires update permissions to the finalizers
of the owner, to avoid this, we set blockOwnerDeleteion to false for all
owners referenced from NFD worker pod when setting/updating NodeFeature
owner ref.

Signed-off-by: adrianc <adrianc@nvidia.com>
(cherry picked from commit 3f012c2d5a)
This commit is contained in:
adrianc 2025-01-08 12:05:11 +02:00 committed by Markus Lehtonen
parent 725c20496e
commit 2b5e54d648
4 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
deployment/base/rbac/worker-role.yaml
View file

@ -11,6 +11,7 @@ rules:
- create
- get
- update
- delete
- apiGroups:
- ""
resources:

1
deployment/helm/node-feature-discovery/templates/role.yaml
View file

@ -15,6 +15,7 @@ rules:
- create
- get
- update
- delete
- apiGroups:
- ""
resources:

6
pkg/nfd-worker/nfd-worker.go
View file

@ -41,6 +41,7 @@ import (
"k8s.io/apimachinery/pkg/util/validation"
k8sclient "k8s.io/client-go/kubernetes"
"k8s.io/klog/v2"
"k8s.io/utils/ptr"
klogutils "sigs.k8s.io/node-feature-discovery/pkg/utils/klog"
"sigs.k8s.io/yaml"
@ -325,7 +326,10 @@ func (w *nfdWorker) Run() error {
klog.ErrorS(err, "failed to get self pod, cannot inherit ownerReference for NodeFeature")
return err
} else {
ownerReference = append(ownerReference, selfPod.OwnerReferences...)
for _, owner := range selfPod.OwnerReferences {
owner.BlockOwnerDeletion = ptr.To(false)
ownerReference = append(ownerReference, owner)
}
}
podUID := os.Getenv("POD_UID")

2
test/e2e/utils/rbac.go
View file

@ -222,7 +222,7 @@ func createRoleWorker(ctx context.Context, cs clientset.Interface, ns string) (*
{
APIGroups: []string{"nfd.k8s-sigs.io"},
Resources: []string{"nodefeatures"},
Verbs: []string{"create", "get", "update"},
Verbs: []string{"create", "get", "update", "delete"},
},
{
APIGroups: []string{""},