Our SGX README guides users to first deploy NFD and create NodeFeatureRules
when sgx_plugin/overlays/epc-nfd is used. However, it turns out
the "SGX enabled" label is not being used by the plugin DaemonSet.
Use "intel.feature.node.kubernetes.io/sgx": "true" as the nodeSelector
value when the kustomization overlay with NFD is used.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
The VPU plugin can only be used with devices that are
no longer supported by upper layers, such as OpenVINO.
The deprecation plan for the plugin was announced earlier
this year and post v0.28 marks the date when the plugin is removed
from the repo.
Releases before v0.29 have the plugin available should it
be needed.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
With the NFD recent versions (v0.13+), it's no longer necessary to
start NFD with custom nfd-master args/rbac settings to get numeric
labels registered as extended resources.
The same can be specified via NodeFeatureRules which also works for
"local" source with feature files.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
NFD v0.14+ doesn't support binary NFD hooks by default, so there is
a need to move the label creation away from the GPU nfdhook.
Move extended resource label creation to plugin, and drop labels that were
already marked deprecated (platform_gen, media_version etc.).
Drop init-container from deployment files and operator. It is still possible
to use an initcontainer, but the default deployments do not support it.
Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
hostNetwork usage for SGX demo pods is not absolutely necessary so it's
better to clean it up and make IAS "security" scanners happier. It was
originally used to be able to use "localhost" PCCS but this change now
adds an example how proper PCCS url can be configured using jq.
Additionally, SGX DCAP Quote Verification is added.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
FPGA and SGX webhooks mutate container resources which
are immutable. Therefore, stop processing pod updates
and act on creation only.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Proper SELinux labels are required for the plugins to run in SELinux
enabled clusters like openshift. These labels are custom made for
plugins and are part of container-selinux package.
Signed-off-by: Manish Regmi <manish.regmi@intel.com>
k8s 1.27.x triggers build errors on controller-runtime 0.14.x
so we will need to update to 0.15.x at the same time.
Changes include:
* k8s e2e framework moved to use Ginkgo context so we add
test context to all our test nodes.
* adapt Ginkgo parameter modifications.
* adapt SGX admissionwebhook to InjectDecoder removal.
* adapt deviceplugins and FPGA CRDs to controller-runtime
API changes.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
In large clusters and with resource management, the load
from gpu-plugins can become heavy for the api-server.
This change will start fetching pod listings from kubelet
and use api-server as a backup. Any other error than timeout
will also move the logic back to using api-server.
Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
NFD hooks are deprecated and going away:
https://github.com/kubernetes-sigs/node-feature-discovery/issues/856
This makes the mount names more future-proof, and shows where later
changes need to be done (to change operator mount directory, and
switch hook-using deployments e.g. to feature files).
Signed-off-by: Eero Tamminen <eero.t.tamminen@intel.com>
