Kubernetes 1.23 has introduced native health probes for gRPC which
can replace grpc_health_probe utility. This commit removes baking
in grpc_health_probe binary into the image and updates related
health checks to use k8s native gRPC.
Signed-off-by: Muyassarov, Feruzjon <feruzjon.muyassarov@intel.com>
Switch to fully statically linked binaries and use scratch as a base
image.
Switching to the virtually empty scratch base image means that the
default/minimal NFD image only supports running hooks that are truly
statically linked (e.g. normal go binaries that are "almost" statically
linked stop working). The documentation has been already stating this
(i.e. that only statically-linked binaries are supported) - i.e. we have
had no promise of supporting other than that. Also, hooks are now
deprecated and even disabled by default so the possibility of real user
impact should be small.
Move out running unit tests as part of container image building and
instead add it into verify.sh script which runs linter, formatter
and other checks.
Signed-off-by: Muyassarov, Feruzjon <feruzjon.muyassarov@intel.com>
Switch over to the "non-point-release" version of the image. Now we
always use the latest patch version of golang with latest security
fixes, for example, without the need to manually bump the version after
every point release.
This patch also makes the builder image configurable through a Makefile
variable.
For reproducible builds we should used fixed point-release versions in
release-brances.
Rename grpc-health-probe -> grpc_health_probe as
our deployment yamls and its own documentation
refer to it by this name.
This should fix broken NFD deployments.
Signed-off-by: Eduard Bartosh <eduard.bartosh@intel.com>
Current grpc-health-probe functionality is pulling a binary, hard coded
to amd64, both unsecure and only works for 1 arch, preparing to build
NFD for multiple Arch's require we build the health probe from source,
that way we get rid of the unsecure binary pull, and guarantee a proper
arch build for the grpc-health-probe
Signed-off-by: Carlos Eduardo Arango Gutierrez <carangog@redhat.com>
Implement functionality virtually replicating deployment templates for
nfd-master and nfd-worker daemonset (nfd-master.yaml.template and
nfd-worker-daemonset.yaml.template) by adding a kustomize overlay named
"default".
We split the resources into multiple bases (rbac, master and
worker-daemonset) so that relevant parts are re-usable in
other deployment scenarios added later (e.g. "one-shot job", and
"combined daemonset").
This patch adds one component (components/common) doing the required
kustomization for the example deployment.
* Add support for configurable runtime full and minimal images.
* Fixups and renamings.
* Change variables *_IMG_* to *_IMAGE_*
* Fix args in Dockerfile also.
Build a "minimal" variant of the nfd image based on
gcr.io/distroless/base. The motivations behind the minimal image are
image hardening (security) and reducing the image footprint (from ca.
108MB down to about 40MB).
The practical effect of deploying the minimal image is that no runtimes
for running worker hooks are present, not even a shell. This means that
only statically linked linked hook binaries are supported. Also, because
of the image hardening live debugging of the minimal image by attaching
to the container is not possible, and, the "full" image needs to be used
for that purpose.
- update to golang 1.15.5 (was 1.15.4)
- Be more explicit about using the -buster variant for build image
- Update runtime image from -stretch to -buster to pick up security fixes
Introduce a new makefile variable and dockerfile build arg named
HOSTMOUNT_PREFIX for changing the prefix used for mounting host
directories inside the container. Adds a sed rule in Makefile to
generate deployment yamls accordingly.
Speeds up local builds considerably as the deps are cached (instead of
downloading them all on every build) - as long as go.mod and go.sum are
not changed.
Refactor NFD into a simple server-client system. Labeling is now done by
a separate 'nfd-master' server. It is a simple service with small
codebase, designed for easy isolation. The feature discovery part is
implemented in a 'nfd-worker' client which sends labeling requests to
nfd-server, thus, requiring no access/permissions to the Kubernetes API
itself.
Client-server communication is implemented by using gRPC. The protocol
currently consists of only one request, i.e. the labeling request.
The spec templates are converted to the new scheme. The nfd-master
server can be deployed using the nfd-master.yaml.template which now also
contains the necessary RBAC configuration. NFD workers can be deployed
by using the nfd-worker-daemonset.yaml.template or
nfd-worker-job.yaml.template (most easily used with the label-nodes.sh
script).
Only nfd-worker currently support config file or options. The (default)
NFD config file is renamed to nfd-worker.conf.
Glide is not actively developed anymore, and, its documentation
recommends migrating to dep. Also, dep is widely used in other k8s
projects.
Migrating to dep dramatically reduces the size of the populated vendor/
directory from 75MB down to about 20MB.
Get rid of the dependency on intel-cmt-cat library and rdt helper
binaries written in C. Significantly simplifies the build procedure.
Implements minimal support (in assembler) for getting the raw data from
the CPUID instruction. Also, implement a stub so that the code works on
other architectures than amd64, too.
Support yaml/json based config file for nfd. This commit does not add
any actual consumers for the config file, yet.
By default, nfd tries to read
/etc/kubernetes/node-feature-discovery/node-feature-discovery.conf.
This can be changed by specifying the --config command line flag.
To cut the image size further, down to about 75MB. We use Debian
strecth-slim as the base for the production image as golang docker
images use stretch as their base.
This reduces the size of the Docker image from ca. 1.2GB down to about
750MB.
Also, move unit tests from .travis.yml to Dockerfile. Final production
image is not able to run unit tests anymore, as sources are missing from
there.
intel-cmt-cat repo is located in github/intel/ now,
update links accordingly, correcting also some
source file names pointed from files under rdt-discovery/.
Updated also ref. to intel-cmt-cat in Dockerfile.
No functional changes.
This makes the build more deterministic. Previously, nfd just blindly
took the tip revision from intel-cmt-cat master branch which could brake
the build without any changes in nfd itself.
* Make rdt-discovery buildable outside hardcoded path
Do not assume that nfd sources always reside under hardcoded directory
"/go/src/github.com/kubernetes-incubator/node-feature-discovery/". This
makes it possible e.g. to build nfd locally outside the Docker
container.
* Do not hardcode the path for RDT helper binaries
Utilize the standard PATH env variable, instead.