"unconfined" annotation was needed to get writes to new_id / bind
to succeed on AppArmor enabled OSes.
However, many things have changed:
* new_id should not be used anymore and it was dropped in the plugin.
* QAT initcontainer has assumed the role of HW initialization.
* vfio-pci is the preferred "dpdkDriver" and starting with QAT Gen4, it
is the only available VF driver so unbind isn't necessary.
* k8s AppArmor is "GA" since 1.30 and the annotation is deprecated.
As of now, the initcontainer will take care of binding QAT VFs to vfio-pci
so the plugin does not neeed to set AppArmor at all.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Operatorhub bundle can have sha256 image tags that are put through
env vars. When operator controller manager gets upgraded, its
operands (plugin daemonsets) should be updated to the image in the
env vars. But it has not been working properly because of wrong
parsing.
Fix it to parse the image names that have sha256 tags correctly so
env vars in operator can be used as intended.
Additionatlly, add comments with an example result to the part
where parsing, trimming, or transforming the name of images happens
in UpgradImages to make the process intuitive.
Signed-off-by: Hyeongju Johannes Lee <hyeongju.lee@intel.com>
Operator maturity level 3 requires cpu/memory requests and limits
for operands. Add them to all plugins deployed by operator
Signed-off-by: Hyeongju Johannes Lee <hyeongju.lee@intel.com>
Additional objects are shared between device plugin CRs. Once the last
CR is removed, the additional objects are also removed.
Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
Differentiate objects by adding cr names as suffixes
Drop kind book keeping and related functions from controllers
Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
NFD v0.14+ doesn't support binary NFD hooks by default, so there is
a need to move the label creation away from the GPU nfdhook.
Move extended resource label creation to plugin, and drop labels that were
already marked deprecated (platform_gen, media_version etc.).
Drop init-container from deployment files and operator. It is still possible
to use an initcontainer, but the default deployments do not support it.
Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
Proper SELinux labels are required for the plugins to run in SELinux
enabled clusters like openshift. These labels are custom made for
plugins and are part of container-selinux package.
Signed-off-by: Manish Regmi <manish.regmi@intel.com>
setInitContainer() adds "init-sriov-numvfs" to initContainers
but uses initcontainerName constant to search where to add
the QAT configMap volumeMount. Fix by moving all code to use
the const.
It was also noticed in the controller logs that setting Pod
Volumes is not idempotent but broken DaemonSet gets created:
""intel-device-plugins-manager: Reconciler error "err="DaemonSet.apps
\"intel-qat-plugin\" is invalid: spec.template.spec.volumes[6].name:
Duplicate value: \"qat-config\"" controller="qatdeviceplugin"
controllerGroup="deviceplugin.intel.com"
Finally, change 'qat-config' to 'intel-qat-config-volume' to
better describe that it's a volume.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
In large clusters and with resource management, the load
from gpu-plugins can become heavy for the api-server.
This change will start fetching pod listings from kubelet
and use api-server as a backup. Any other error than timeout
will also move the logic back to using api-server.
Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
NFD hooks are deprecated and going away:
https://github.com/kubernetes-sigs/node-feature-discovery/issues/856
This makes the mount names more future-proof, and shows where later
changes need to be done (to change operator mount directory, and
switch hook-using deployments e.g. to feature files).
Signed-off-by: Eero Tamminen <eero.t.tamminen@intel.com>
