mirror of
https://github.com/intel/intel-device-plugins-for-kubernetes.git
synced 2025-06-03 03:59:37 +00:00
85 lines
3.8 KiB
Markdown
85 lines
3.8 KiB
Markdown
# Build and install Intel FPGA webhook for admission controller
|
|
|
|
### Dependencies
|
|
|
|
You must install and set up the following FPGA plugin modules for correct operation:
|
|
|
|
- [FPGA device plugin](../fpga_plugin/README.md)
|
|
- [FPGA admission controller webhook](README.md) (this module)
|
|
- [FPGA prestart CRI-O hook](../fpga_crihook/README.md)
|
|
|
|
### Get source code:
|
|
```
|
|
$ mkdir -p $GOPATH/src/github.com/intel/
|
|
$ cd $GOPATH/src/github.com/intel/
|
|
$ git clone https://github.com/intel/intel-device-plugins-for-kubernetes.git
|
|
```
|
|
|
|
### Build a Docker image with the webhook:
|
|
```
|
|
$ export SRC=$GOPATH/src/github.com/intel/intel-device-plugins-for-kubernetes
|
|
$ cd $SRC
|
|
$ make intel-fpga-admissionwebhook
|
|
$ docker images
|
|
REPOSITORY TAG IMAGE ID CREATED SIZE
|
|
intel-fpga-admissionwebhook 10efe163a5091e8b2ceaa9baad236d3a41063c88 6c3bce0b8693 0 sec ago 25.2MB
|
|
intel-fpga-admissionwebhook devel 6c3bce0b8693 0 sec ago 25.2MB
|
|
...
|
|
```
|
|
|
|
### Deploy webhook service:
|
|
|
|
Verify that the `cfssl` and `jq` utilities are installed on your host.
|
|
Run the `scripts/webhook-deploy.sh` script.
|
|
```
|
|
$ cd $SRC
|
|
$ ./scripts/webhook-deploy.sh
|
|
Create secret including signed key/cert pair for the webhook
|
|
Creating certs in /tmp/tmp.Ebb77GBKqm
|
|
certificatesigningrequest.certificates.k8s.io/intel-fpga-webhook-svc.default created
|
|
NAME AGE REQUESTOR CONDITION
|
|
intel-fpga-webhook-svc.default 0s system:admin Pending
|
|
certificatesigningrequest.certificates.k8s.io/intel-fpga-webhook-svc.default approved
|
|
secret/intel-fpga-webhook-certs created
|
|
Removing /tmp/tmp.Ebb77GBKqm
|
|
Create FPGA CRDs
|
|
customresourcedefinition.apiextensions.k8s.io/acceleratorfunctions.fpga.intel.com created
|
|
customresourcedefinition.apiextensions.k8s.io/fpgaregions.fpga.intel.com created
|
|
acceleratorfunction.fpga.intel.com/arria10-nlb0 created
|
|
acceleratorfunction.fpga.intel.com/arria10-nlb3 created
|
|
fpgaregion.fpga.intel.com/arria10 created
|
|
clusterrole.rbac.authorization.k8s.io/fpga-reader created
|
|
clusterrolebinding.rbac.authorization.k8s.io/default-fpga-reader created
|
|
Create webhook deployment
|
|
deployment.extensions/intel-fpga-webhook-deployment created
|
|
Create webhook service
|
|
service/intel-fpga-webhook-svc created
|
|
Register webhook
|
|
mutatingwebhookconfiguration.admissionregistration.k8s.io/fpga-mutator-webhook-cfg created
|
|
```
|
|
|
|
Mappings of resource names are configured with objects of `AcceleratorFunction` and
|
|
`FpgaRegion` custom resource definitions found respectively in
|
|
`./deployment/fpga_admissionwebhook/af-crd.yaml` and `./deployment/fpga_admissionwebhook/region-crd.yaml`.
|
|
|
|
By default, the script deploys the webhook in a preprogrammed mode. Requested FPGA resources are translated to AF resources. For example,
|
|
`fpga.intel.com/arria10-nlb0` is translated to `fpga.intel.com/af-d8424dc4a4a3c413f89e433683f9040b`.
|
|
|
|
Use the option `--mode` to command the script to deploy the webhook in orchestrated mode:
|
|
```
|
|
$ ./scripts/webhook-deploy.sh --mode orchestrated
|
|
```
|
|
|
|
Note that the script needs the CA bundle used for signing certificate
|
|
requests in your cluster. By default, the script fetches the bundle stored
|
|
in the configmap `extension-apiserver-authentication`. However, your cluster may use a different signing certificate that is passed in the option
|
|
`--cluster-signing-cert-file` to `kube-controller-manager`. In this case,
|
|
you must point the script to the actual signing certificate as follows:
|
|
```
|
|
$ ./scripts/webhook-deploy.sh --ca-bundle-path /var/run/kubernetes/server-ca.crt
|
|
```
|
|
|
|
### Next steps
|
|
|
|
Continue with [FPGA prestart CRI-O hook](../fpga_crihook/README.md).
|