diff --git a/deployment/helm/node-feature-discovery/templates/_helpers.tpl b/deployment/helm/node-feature-discovery/templates/_helpers.tpl index 5a0a5c97f..928ece78f 100644 --- a/deployment/helm/node-feature-discovery/templates/_helpers.tpl +++ b/deployment/helm/node-feature-discovery/templates/_helpers.tpl @@ -96,12 +96,12 @@ Create the name of the service account which topologyUpdater will use {{- end -}} {{/* -Create the name of the service account which topologyGC will use +Create the name of the service account which nfd-gc will use */}} -{{- define "node-feature-discovery.topologyGC.serviceAccountName" -}} -{{- if .Values.topologyGC.serviceAccount.create -}} - {{ default (printf "%s-topology-gc" (include "node-feature-discovery.fullname" .)) .Values.topologyGC.serviceAccount.name }} +{{- define "node-feature-discovery.gc.serviceAccountName" -}} +{{- if .Values.gc.serviceAccount.create -}} + {{ default (printf "%s-gc" (include "node-feature-discovery.fullname" .)) .Values.gc.serviceAccount.name }} {{- else -}} - {{ default "default" .Values.topologyGC.serviceAccount.name }} + {{ default "default" .Values.gc.serviceAccount.name }} {{- end -}} {{- end -}} diff --git a/deployment/helm/node-feature-discovery/templates/clusterrole.yaml b/deployment/helm/node-feature-discovery/templates/clusterrole.yaml index 0cec23b66..d4329338b 100644 --- a/deployment/helm/node-feature-discovery/templates/clusterrole.yaml +++ b/deployment/helm/node-feature-discovery/templates/clusterrole.yaml @@ -42,8 +42,8 @@ rules: - update {{- end }} ---- {{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -80,12 +80,12 @@ rules: - update {{- end }} +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} --- -{{- if and .Values.topologyGC.enable .Values.topologyGC.rbac.create .Values.topologyUpdater.enable }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "node-feature-discovery.fullname" . }}-topology-gc + name: {{ include "node-feature-discovery.fullname" . }}-gc labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} rules: @@ -109,4 +109,11 @@ rules: verbs: - delete - list +- apiGroups: + - nfd.k8s-sigs.io + resources: + - nodefeatures + verbs: + - delete + - list {{- end }} diff --git a/deployment/helm/node-feature-discovery/templates/clusterrolebinding.yaml b/deployment/helm/node-feature-discovery/templates/clusterrolebinding.yaml index b0a69012f..8e3aef83e 100644 --- a/deployment/helm/node-feature-discovery/templates/clusterrolebinding.yaml +++ b/deployment/helm/node-feature-discovery/templates/clusterrolebinding.yaml @@ -15,8 +15,8 @@ subjects: namespace: {{ include "node-feature-discovery.namespace" . }} {{- end }} ---- {{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -33,20 +33,20 @@ subjects: namespace: {{ include "node-feature-discovery.namespace" . }} {{- end }} +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} --- -{{- if and .Values.topologyGC.enable .Values.topologyGC.rbac.create .Values.topologyUpdater.enable }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "node-feature-discovery.fullname" . }}-topology-gc + name: {{ include "node-feature-discovery.fullname" . }}-gc labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "node-feature-discovery.fullname" . }}-topology-gc + name: {{ include "node-feature-discovery.fullname" . }}-gc subjects: - kind: ServiceAccount - name: {{ .Values.topologyGC.serviceAccount.name | default "nfd-topology-gc" }} + name: {{ .Values.gc.serviceAccount.name | default "nfd-gc" }} namespace: {{ include "node-feature-discovery.namespace" . }} {{- end }} diff --git a/deployment/helm/node-feature-discovery/templates/nfd-gc.yaml b/deployment/helm/node-feature-discovery/templates/nfd-gc.yaml index 642fec455..ff0859ea1 100644 --- a/deployment/helm/node-feature-discovery/templates/nfd-gc.yaml +++ b/deployment/helm/node-feature-discovery/templates/nfd-gc.yaml @@ -1,36 +1,36 @@ -{{- if and .Values.topologyGC.enable .Values.topologyUpdater.enable -}} +{{- if and .Values.gc.enable (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) -}} apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "node-feature-discovery.fullname" . }}-topology-gc + name: {{ include "node-feature-discovery.fullname" . }}-gc namespace: {{ include "node-feature-discovery.namespace" . }} labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} - role: topology-gc + role: gc spec: - replicas: {{ .Values.topologyGC.replicaCount | default 1 }} + replicas: {{ .Values.gc.replicaCount | default 1 }} selector: matchLabels: {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} - role: topology-gc + role: gc template: metadata: labels: {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} - role: topology-gc + role: gc annotations: - {{- toYaml .Values.topologyGC.annotations | nindent 8 }} + {{- toYaml .Values.gc.annotations | nindent 8 }} spec: - serviceAccountName: {{ .Values.topologyGC.serviceAccountName | default "nfd-topology-gc" }} + serviceAccountName: {{ .Values.gc.serviceAccountName | default "nfd-gc" }} dnsPolicy: ClusterFirstWithHostNet {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} securityContext: - {{- toYaml .Values.topologyGC.podSecurityContext | nindent 8 }} + {{- toYaml .Values.gc.podSecurityContext | nindent 8 }} containers: - - name: topology-gc + - name: gc image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: "{{ .Values.image.pullPolicy }}" env: @@ -39,25 +39,29 @@ spec: fieldRef: fieldPath: spec.nodeName command: - - "nfd-topology-gc" + - "nfd-gc" args: - {{- if .Values.topologyGC.interval | empty | not }} - - "-gc-interval={{ .Values.topologyGC.interval }}" + {{- if .Values.gc.interval | empty | not }} + - "-gc-interval={{ .Values.gc.interval }}" {{- end }} resources: - {{- toYaml .Values.topologyGC.resources | nindent 12 }} + {{- toYaml .Values.gc.resources | nindent 12 }} securityContext: - {{- toYaml .Values.topologyGC.securityContext | nindent 12 }} + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsNonRoot: true - {{- with .Values.topologyGC.nodeSelector }} + {{- with .Values.gc.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.topologyGC.affinity }} + {{- with .Values.gc.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.topologyGC.tolerations }} + {{- with .Values.gc.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/deployment/helm/node-feature-discovery/templates/serviceaccount.yaml b/deployment/helm/node-feature-discovery/templates/serviceaccount.yaml index 03211e7c4..dae09503e 100644 --- a/deployment/helm/node-feature-discovery/templates/serviceaccount.yaml +++ b/deployment/helm/node-feature-discovery/templates/serviceaccount.yaml @@ -12,8 +12,8 @@ metadata: {{- end }} {{- end }} ---- {{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.serviceAccount.create }} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -27,23 +27,23 @@ metadata: {{- end }} {{- end }} +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} --- -{{- if and .Values.topologyGC.enable .Values.topologyGC.serviceAccount.create .Values.topologyUpdater.enable }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Values.topologyGC.serviceAccount.name | default "nfd-topology-gc" }} + name: {{ .Values.gc.serviceAccount.name | default "nfd-gc" }} namespace: {{ include "node-feature-discovery.namespace" . }} labels: {{- include "node-feature-discovery.labels" . | nindent 4 }} - {{- with .Values.topologyUpdater.serviceAccount.annotations }} + {{- with .Values.gc.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} ---- {{- if .Values.worker.serviceAccount.create }} +--- apiVersion: v1 kind: ServiceAccount metadata: diff --git a/deployment/helm/node-feature-discovery/values.yaml b/deployment/helm/node-feature-discovery/values.yaml index a25956066..80c50bf61 100644 --- a/deployment/helm/node-feature-discovery/values.yaml +++ b/deployment/helm/node-feature-discovery/values.yaml @@ -450,7 +450,7 @@ topologyUpdater: affinity: {} podSetFingerprint: true -topologyGC: +gc: enable: true replicaCount: 1 @@ -464,12 +464,6 @@ topologyGC: interval: 1h podSecurityContext: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: [ "ALL" ] - readOnlyRootFilesystem: true - runAsNonRoot: true resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/docs/deployment/helm.md b/docs/deployment/helm.md index bc09e85c8..5056f9bdc 100644 --- a/docs/deployment/helm.md +++ b/docs/deployment/helm.md @@ -189,24 +189,23 @@ API's you need to install the prometheus operator in your cluster. | `topologyUpdater.podSetFingerprint` | bool | false | Enables compute and report of pod fingerprint in NRT objects. | | `topologyUpdater.kubeletStateDir` | string | /var/lib/kubelet | Specifies kubelet state directory path for watching state and checkpoint files. Empty value disables kubelet state tracking. | -### Topology garbage collector parameters +### Garbage collector parameters | Name | Type | Default | description | -|-----------------------------------------------|--------|---------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `topologyGC.*` | dict | | NFD Topology Garbage Collector configuration | -| `topologyGC.enable` | bool | true | Specifies whether the NFD Topology Garbage Collector should be created | -| `topologyGC.serviceAccount.create` | bool | true | Specifies whether the service account for topology garbage collector should be created | -| `topologyGC.serviceAccount.annotations` | dict | {} | Annotations to add to the service account for topology garbage collector | -| `topologyGC.serviceAccount.name` | string | | The name of the service account for topology garbage collector to use. If not set and create is true, a name is generated using the fullname template and `-topology-gc` suffix | -| `topologyGC.rbac.create` | bool | true | Specifies whether to create [RBAC][rbac] configuration for topology garbage collector | -| `topologyGC.interval` | string | 1h | Time between periodic garbage collector runs | -| `topologyGC.podSecurityContext` | dict | {} | [PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) holds pod-level security attributes and common container settings | -| `topologyGC.securityContext` | dict | {} | Container [security settings](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | -| `topologyGC.resources` | dict | {} | Topology garbage collector pod [resources management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | -| `topologyGC.nodeSelector` | dict | {} | Topology garbage collector pod [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | -| `topologyGC.tolerations` | dict | {} | Topology garbage collector pod [node tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| `topologyGC.annotations` | dict | {} | Topology garbage collector pod [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) | -| `topologyGC.affinity` | dict | {} | Topology garbage collector pod [affinity](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | +|---------------------------------------|--------|---------|-------------------- +| `gc.*` | dict | | NFD Garbage Collector configuration +| `gc.enable` | bool | true | Specifies whether the NFD Garbage Collector should be created +| `gc.serviceAccount.create` | bool | true | Specifies whether the service account for garbage collector should be created +| `gc.serviceAccount.annotations` | dict | {} | Annotations to add to the service account for garbage collector +| `gc.serviceAccount.name` | string | | The name of the service account for garbage collector to use. If not set and create is true, a name is generated using the fullname template and `-gc` suffix +| `gc.rbac.create` | bool | true | Specifies whether to create [RBAC][rbac] configuration for garbage collector +| `gc.interval` | string | 1h | Time between periodic garbage collector runs +| `gc.podSecurityContext` | dict | {} | [PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) holds pod-level security attributes and common container settings +| `gc.resources` | dict | {} | Garbage collector pod [resources management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) +| `gc.nodeSelector` | dict | {} | Garbage collector pod [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +| `gc.tolerations` | dict | {} | Garbage collector pod [node tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +| `gc.annotations` | dict | {} | Garbage collector pod [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) +| `gc.affinity` | dict | {} | Garbage collector pod [affinity](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) [rbac]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/