mirrors/node-feature-discovery
mirrors/node-feature-discovery
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/node-feature-discovery.git synced 2025-03-28 02:37:11 +00:00
Code Activity

deployment/helm: support nfd-gc

Browse source 
Rename files and parameters. Drop the container security context
parameters from the Helm chart. There should be no reason to run the
nfd-gc with other than the minimal privileges.

Also updates the documentation.
This commit is contained in:
Markus Lehtonen 2023-08-18 12:52:41 +03:00
parent 6cf29bd8ef
commit ceb672bde0
7 changed files with 63 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
deployment/helm/node-feature-discovery/templates/_helpers.tpl
View file

@ -96,12 +96,12 @@ Create the name of the service account which topologyUpdater will use
{{- end -}}
{{/*
Create the name of the service account which topologyGC will use
Create the name of the service account which nfd-gc will use
*/}}
{{- define "node-feature-discovery.topologyGC.serviceAccountName" -}}
{{- if .Values.topologyGC.serviceAccount.create -}}
{{ default (printf "%s-topology-gc" (include "node-feature-discovery.fullname" .)) .Values.topologyGC.serviceAccount.name }}
{{- define "node-feature-discovery.gc.serviceAccountName" -}}
{{- if .Values.gc.serviceAccount.create -}}
{{ default (printf "%s-gc" (include "node-feature-discovery.fullname" .)) .Values.gc.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.topologyGC.serviceAccount.name }}
{{ default "default" .Values.gc.serviceAccount.name }}
{{- end -}}
{{- end -}}

13
deployment/helm/node-feature-discovery/templates/clusterrole.yaml
View file

@ -42,8 +42,8 @@ rules:
- update
{{- end }}
---
{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
@ -80,12 +80,12 @@ rules:
- update
{{- end }}
{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }}
---
{{- if and .Values.topologyGC.enable .Values.topologyGC.rbac.create .Values.topologyUpdater.enable }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "node-feature-discovery.fullname" . }}-topology-gc
name: {{ include "node-feature-discovery.fullname" . }}-gc
labels:
{{- include "node-feature-discovery.labels" . | nindent 4 }}
rules:
@ -109,4 +109,11 @@ rules:
verbs:
- delete
- list
- apiGroups:
- nfd.k8s-sigs.io
resources:
- nodefeatures
verbs:
- delete
- list
{{- end }}

10
deployment/helm/node-feature-discovery/templates/clusterrolebinding.yaml
View file

@ -15,8 +15,8 @@ subjects:
namespace: {{ include "node-feature-discovery.namespace" . }}
{{- end }}
---
{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@ -33,20 +33,20 @@ subjects:
namespace: {{ include "node-feature-discovery.namespace" . }}
{{- end }}
{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }}
---
{{- if and .Values.topologyGC.enable .Values.topologyGC.rbac.create .Values.topologyUpdater.enable }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "node-feature-discovery.fullname" . }}-topology-gc
name: {{ include "node-feature-discovery.fullname" . }}-gc
labels:
{{- include "node-feature-discovery.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "node-feature-discovery.fullname" . }}-topology-gc
name: {{ include "node-feature-discovery.fullname" . }}-gc
subjects:
- kind: ServiceAccount
name: {{ .Values.topologyGC.serviceAccount.name | default "nfd-topology-gc" }}
name: {{ .Values.gc.serviceAccount.name | default "nfd-gc" }}
namespace: {{ include "node-feature-discovery.namespace" . }}
{{- end }}

40
deployment/helm/node-feature-discovery/templates/nfd-gc.yaml
View file

@ -1,36 +1,36 @@
{{- if and .Values.topologyGC.enable .Values.topologyUpdater.enable -}}
{{- if and .Values.gc.enable (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "node-feature-discovery.fullname" . }}-topology-gc
name: {{ include "node-feature-discovery.fullname" . }}-gc
namespace: {{ include "node-feature-discovery.namespace" . }}
labels:
{{- include "node-feature-discovery.labels" . | nindent 4 }}
role: topology-gc
role: gc
spec:
replicas: {{ .Values.topologyGC.replicaCount | default 1 }}
replicas: {{ .Values.gc.replicaCount | default 1 }}
selector:
matchLabels:
{{- include "node-feature-discovery.selectorLabels" . | nindent 6 }}
role: topology-gc
role: gc
template:
metadata:
labels:
{{- include "node-feature-discovery.selectorLabels" . | nindent 8 }}
role: topology-gc
role: gc
annotations:
{{- toYaml .Values.topologyGC.annotations | nindent 8 }}
{{- toYaml .Values.gc.annotations | nindent 8 }}
spec:
serviceAccountName: {{ .Values.topologyGC.serviceAccountName | default "nfd-topology-gc" }}
serviceAccountName: {{ .Values.gc.serviceAccountName | default "nfd-gc" }}
dnsPolicy: ClusterFirstWithHostNet
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.topologyGC.podSecurityContext | nindent 8 }}
{{- toYaml .Values.gc.podSecurityContext | nindent 8 }}
containers:
- name: topology-gc
- name: gc
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
env:
@ -39,25 +39,29 @@ spec:
fieldRef:
fieldPath: spec.nodeName
command:
- "nfd-topology-gc"
- "nfd-gc"
args:
{{- if .Values.topologyGC.interval | empty | not }}
- "-gc-interval={{ .Values.topologyGC.interval }}"
{{- if .Values.gc.interval | empty | not }}
- "-gc-interval={{ .Values.gc.interval }}"
{{- end }}
resources:
{{- toYaml .Values.topologyGC.resources | nindent 12 }}
{{- toYaml .Values.gc.resources | nindent 12 }}
securityContext:
{{- toYaml .Values.topologyGC.securityContext | nindent 12 }}
allowPrivilegeEscalation: false
capabilities:
drop: [ "ALL" ]
readOnlyRootFilesystem: true
runAsNonRoot: true
{{- with .Values.topologyGC.nodeSelector }}
{{- with .Values.gc.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologyGC.affinity }}
{{- with .Values.gc.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologyGC.tolerations }}
{{- with .Values.gc.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

10
deployment/helm/node-feature-discovery/templates/serviceaccount.yaml
View file

@ -12,8 +12,8 @@ metadata:
{{- end }}
{{- end }}
---
{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
@ -27,23 +27,23 @@ metadata:
{{- end }}
{{- end }}
{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }}
---
{{- if and .Values.topologyGC.enable .Values.topologyGC.serviceAccount.create .Values.topologyUpdater.enable }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.topologyGC.serviceAccount.name | default "nfd-topology-gc" }}
name: {{ .Values.gc.serviceAccount.name | default "nfd-gc" }}
namespace: {{ include "node-feature-discovery.namespace" . }}
labels:
{{- include "node-feature-discovery.labels" . | nindent 4 }}
{{- with .Values.topologyUpdater.serviceAccount.annotations }}
{{- with .Values.gc.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- if .Values.worker.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:

8
deployment/helm/node-feature-discovery/values.yaml
View file

@ -450,7 +450,7 @@ topologyUpdater:
affinity: {}
podSetFingerprint: true
topologyGC:
gc:
enable: true
replicaCount: 1
@ -464,12 +464,6 @@ topologyGC:
interval: 1h
podSecurityContext: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [ "ALL" ]
readOnlyRootFilesystem: true
runAsNonRoot: true
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious

31
docs/deployment/helm.md
View file

@ -189,24 +189,23 @@ API's you need to install the prometheus operator in your cluster.
| `topologyUpdater.podSetFingerprint` | bool | false | Enables compute and report of pod fingerprint in NRT objects. |
| `topologyUpdater.kubeletStateDir` | string | /var/lib/kubelet | Specifies kubelet state directory path for watching state and checkpoint files. Empty value disables kubelet state tracking. |
### Topology garbage collector parameters
### Garbage collector parameters
| Name | Type | Default | description |
|-----------------------------------------------|--------|---------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `topologyGC.*` | dict | | NFD Topology Garbage Collector configuration |
| `topologyGC.enable` | bool | true | Specifies whether the NFD Topology Garbage Collector should be created |
| `topologyGC.serviceAccount.create` | bool | true | Specifies whether the service account for topology garbage collector should be created |
| `topologyGC.serviceAccount.annotations` | dict | {} | Annotations to add to the service account for topology garbage collector |
| `topologyGC.serviceAccount.name` | string | | The name of the service account for topology garbage collector to use. If not set and create is true, a name is generated using the fullname template and `-topology-gc` suffix |
| `topologyGC.rbac.create` | bool | true | Specifies whether to create [RBAC][rbac] configuration for topology garbage collector |
| `topologyGC.interval` | string | 1h | Time between periodic garbage collector runs |
| `topologyGC.podSecurityContext` | dict | {} | [PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) holds pod-level security attributes and common container settings |
| `topologyGC.securityContext` | dict | {} | Container [security settings](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
| `topologyGC.resources` | dict | {} | Topology garbage collector pod [resources management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
| `topologyGC.nodeSelector` | dict | {} | Topology garbage collector pod [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) |
| `topologyGC.tolerations` | dict | {} | Topology garbage collector pod [node tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
| `topologyGC.annotations` | dict | {} | Topology garbage collector pod [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) |
| `topologyGC.affinity` | dict | {} | Topology garbage collector pod [affinity](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
|---------------------------------------|--------|---------|--------------------
| `gc.*` | dict | | NFD Garbage Collector configuration
| `gc.enable` | bool | true | Specifies whether the NFD Garbage Collector should be created
| `gc.serviceAccount.create` | bool | true | Specifies whether the service account for garbage collector should be created
| `gc.serviceAccount.annotations` | dict | {} | Annotations to add to the service account for garbage collector
| `gc.serviceAccount.name` | string | | The name of the service account for garbage collector to use. If not set and create is true, a name is generated using the fullname template and `-gc` suffix
| `gc.rbac.create` | bool | true | Specifies whether to create [RBAC][rbac] configuration for garbage collector
| `gc.interval` | string | 1h | Time between periodic garbage collector runs
| `gc.podSecurityContext` | dict | {} | [PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) holds pod-level security attributes and common container settings
| `gc.resources` | dict | {} | Garbage collector pod [resources management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
| `gc.nodeSelector` | dict | {} | Garbage collector pod [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
| `gc.tolerations` | dict | {} | Garbage collector pod [node tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
| `gc.annotations` | dict | {} | Garbage collector pod [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
| `gc.affinity` | dict | {} | Garbage collector pod [affinity](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)
<!-- Links -->
[rbac]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/