Gpu resource driver chart improvements (#76)

* Namespace should use namespace template

* Add pod security label to resource driver namespace because hostpath requires privileged

* nfd: Allow deploying node feature rules without deploying nfd

* Validating admission policy should not have hardcoded service account, use template functions instead

* Make cdi spec dirs paths configurable

* serviceAccount is deprecated and should not be hardcoded, serviceAccountName is sufficient

* Remove default values for namespaceOverride and serviceAccount to  use default helper functions instead

Signed-off-by: Rouke Broersma <[email protected]>

Author: rouke-broersma

charts/intel-gpu-resource-driver/templates/nfd.yaml renamed to charts/intel-gpu-resource-driver/templates/node-feature-rules.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.nfd.enabled }}
+{{- if or .Values.nodeFeatureRules.enabled .Values.nfd.enabled }}
 apiVersion: nfd.k8s-sigs.io/v1alpha1
 kind: NodeFeatureRule
 metadata:

charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml

@@ -1,4 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: intel-gpu-resource-driver
+  name: {{ include "intel-gpu-resource-driver.namespace" . }}
+  labels:
+    pod-security.kubernetes.io/enforce: privileged

charts/intel-gpu-resource-driver/templates/resource-driver.yaml

@@ -14,7 +14,6 @@ spec:
       labels:
         app: intel-gpu-resource-driver
     spec:
-      serviceAccount: intel-gpu-resource-driver-service-account
       serviceAccountName: {{ include "intel-gpu-resource-driver.serviceAccountName" . }}
       containers:
       - name: kubelet-plugin
@@ -62,18 +61,18 @@ spec:
           path: /var/lib/kubelet/plugins
       - name: cdi
         hostPath:
-          path: /etc/cdi
+          path: {{ .Values.cdi.staticPath }}
       - name: varruncdi
         hostPath:
-          path: /var/run/cdi
+          path: {{ .Values.cdi.dynamicPath}}
       - name: sysfs
         hostPath:
           path: /sys
       {{- with .Values.kubeletPlugin.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.nfd.enabled }}
+      {{- if or .Values.nodeFeatureRules.enabled .Values.nfd.enabled }}
       nodeSelector:
         intel.feature.node.kubernetes.io/gpu: "true"
       {{- else }}

charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml

@@ -13,7 +13,7 @@ spec:
   matchConditions:
   - name: isRestrictedUser
     expression: >-
-      request.userInfo.username == "system:serviceaccount:intel-gpu-resource-driver:intel-gpu-resource-driver-service-account"
+      request.userInfo.username == "system:serviceaccount:{{ include "intel-gpu-resource-driver.namespace" . }}:{{ include "intel-gpu-resource-driver.serviceAccountName" . }}"
   variables:
   - name: userNodeName
     expression: >-

charts/intel-gpu-resource-driver/values.yaml

@@ -1,6 +1,6 @@
 # Default values for intel-gpu-resource-driver.
 nameOverride: ""
-namespaceOverride: "intel-gpu-resource-driver"
+namespaceOverride: ""
 fullnameOverride: ""
 selectorLabelsOverride: {}
 
@@ -14,14 +14,12 @@ image:
 serviceAccount:
   create: true
   annotations: {}
-  name: intel-gpu-resource-driver-service-account
+  name: ""
   automount: true
 
 kubeletPlugin:
   podAnnotations: {}
-  nodeSelector: {}
-  # label used when nfd.enabled is true
-    #intel.feature.node.kubernetes.io/gpu: "true"
+  nodeSelector: {} # ignored when .Values.nodeFeatureRules.enabled or .Values.nfd.enabled
   tolerations:
     - key: node-role.kubernetes.io/master
       operator: Exists
@@ -37,6 +35,13 @@ kubeletPlugin:
       effect: "NoSchedule"
   affinity: {}
 
+cdi:
+  staticPath: /etc/cdi
+  dynamicPath: /var/run/cdi
+
+nodeFeatureRules:
+  enabled: false
+
 nfd:
   enabled: false # change to true to install NFD to the cluster
   nameOverride: intel-gpu-nfd