mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-10-31 09:26:52 +00:00
kata-deploy: Allow runtimeclasses to be created by the daemonset
Let's allow the daemonset to create the runtimeclasses, which will decrease one manual step a user of kata-deploy should take, and also help us in the Confidential Containers land as the Operator can just delegate it to this script. Fixes: #7409 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This commit is contained in:
Fabiano Fidêncio
@@ -28,3 +28,4 @@ tar xvf ${WORKDIR}/${KATA_ARTIFACTS} -C ${DESTINATION} && \
|
|||||||
rm -f ${WORKDIR}/${KATA_ARTIFACTS}
|
rm -f ${WORKDIR}/${KATA_ARTIFACTS}
|
||||||
|
|
||||||
COPY scripts ${DESTINATION}/scripts
|
COPY scripts ${DESTINATION}/scripts
|
||||||
|
COPY runtimeclasses ${DESTINATION}/runtimeclasses
|
||||||
|
|||||||
@@ -13,7 +13,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
name: kubelet-kata-cleanup
|
name: kubelet-kata-cleanup
|
||||||
spec:
|
spec:
|
||||||
serviceAccountName: kata-label-node
|
serviceAccountName: kata-deploy-sa
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
katacontainers.io/kata-runtime: cleanup
|
katacontainers.io/kata-runtime: cleanup
|
||||||
containers:
|
containers:
|
||||||
@@ -32,6 +32,10 @@ spec:
|
|||||||
value: "clh dragonball fc qemu-nvidia-gpu qemu-sev qemu-snp qemu-tdx qemu"
|
value: "clh dragonball fc qemu-nvidia-gpu qemu-sev qemu-snp qemu-tdx qemu"
|
||||||
- name: DEFAULT_SHIM
|
- name: DEFAULT_SHIM
|
||||||
value: "qemu"
|
value: "qemu"
|
||||||
|
- name: CREATE_RUNTIMECLASSES
|
||||||
|
value: "false"
|
||||||
|
- name: CREATE_DEFAULT_RUNTIMECLASS
|
||||||
|
value: "false"
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
|||||||
@@ -13,7 +13,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
name: kata-deploy
|
name: kata-deploy
|
||||||
spec:
|
spec:
|
||||||
serviceAccountName: kata-label-node
|
serviceAccountName: kata-deploy-sa
|
||||||
containers:
|
containers:
|
||||||
- name: kube-kata
|
- name: kube-kata
|
||||||
image: quay.io/kata-containers/kata-deploy:latest
|
image: quay.io/kata-containers/kata-deploy:latest
|
||||||
@@ -34,6 +34,10 @@ spec:
|
|||||||
value: "clh dragonball fc qemu qemu-nvidia-gpu qemu-sev qemu-snp qemu-tdx"
|
value: "clh dragonball fc qemu qemu-nvidia-gpu qemu-sev qemu-snp qemu-tdx"
|
||||||
- name: DEFAULT_SHIM
|
- name: DEFAULT_SHIM
|
||||||
value: "qemu"
|
value: "qemu"
|
||||||
|
- name: CREATE_RUNTIMECLASSES
|
||||||
|
value: "false"
|
||||||
|
- name: CREATE_DEFAULT_RUNTIMECLASS
|
||||||
|
value: "false"
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
|||||||
@@ -2,28 +2,30 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ServiceAccount
|
kind: ServiceAccount
|
||||||
metadata:
|
metadata:
|
||||||
name: kata-label-node
|
name: kata-deploy-sa
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
---
|
---
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: node-labeler
|
name: kata-deploy-role
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["nodes"]
|
resources: ["nodes"]
|
||||||
verbs: ["get", "patch"]
|
verbs: ["get", "patch"]
|
||||||
|
- apiGroups: ["node.k8s.io"]
|
||||||
|
resources: ["runtimeclasses"]
|
||||||
|
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
|
||||||
---
|
---
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: kata-label-node-rb
|
name: kata-deploy-rb
|
||||||
roleRef:
|
roleRef:
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
name: node-labeler
|
name: kata-deploy-role
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: kata-label-node
|
name: kata-deploy-sa
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
|
|
||||||
|
|||||||
@@ -29,6 +29,41 @@ function print_usage() {
|
|||||||
echo "Usage: $0 [install/cleanup/reset]"
|
echo "Usage: $0 [install/cleanup/reset]"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function create_runtimeclasses() {
|
||||||
|
echo "Creating the runtime classes"
|
||||||
|
|
||||||
|
for shim in "${shims[@]}"; do
|
||||||
|
echo "Creating the kata-${shim} runtime class"
|
||||||
|
kubectl apply -f /opt/kata-artifacts/runtimeclasses/kata-${shim}.yaml
|
||||||
|
done
|
||||||
|
|
||||||
|
if [[ "${CREATE_DEFAULT_RUNTIMECLASS}" == "true" ]]; then
|
||||||
|
echo "Creating the kata runtime class for the default shim (an alias for kata-${default_shim})"
|
||||||
|
cp /opt/kata-artifacts/runtimeclasses/kata-${default_shim}.yaml /tmp/kata.yaml
|
||||||
|
sed -i -e 's/kata-'${default_shim}'/kata/g' /tmp/kata.yaml
|
||||||
|
kubectl apply -f /tmp/kata.yaml
|
||||||
|
rm -f /tmp/kata.yaml
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function delete_runtimeclasses() {
|
||||||
|
echo "Deleting the runtime classes"
|
||||||
|
|
||||||
|
for shim in "${shims[@]}"; do
|
||||||
|
echo "Deleting the kata-${shim} runtime class"
|
||||||
|
kubectl delete -f /opt/kata-artifacts/runtimeclasses/kata-${shim}.yaml
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
|
if [[ "${CREATE_DEFAULT_RUNTIMECLASS}" == "true" ]]; then
|
||||||
|
echo "Deleting the kata runtime class for the default shim (an alias for kata-${default_shim})"
|
||||||
|
cp /opt/kata-artifacts/runtimeclasses/kata-${default_shim}.yaml /tmp/kata.yaml
|
||||||
|
sed -i -e 's/kata-'${default_shim}'/kata/g' /tmp/kata.yaml
|
||||||
|
kubectl delete -f /tmp/kata.yaml
|
||||||
|
rm -f /tmp/kata.yaml
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
function get_container_runtime() {
|
function get_container_runtime() {
|
||||||
|
|
||||||
local runtime=$(kubectl get node $NODE_NAME -o jsonpath='{.status.nodeInfo.containerRuntimeVersion}')
|
local runtime=$(kubectl get node $NODE_NAME -o jsonpath='{.status.nodeInfo.containerRuntimeVersion}')
|
||||||
@@ -75,6 +110,10 @@ function install_artifacts() {
|
|||||||
sed -i -E "s|(valid_hypervisor_paths) = .+|\1 = [\"${clh_path}\"]|" "${config_path}"
|
sed -i -E "s|(valid_hypervisor_paths) = .+|\1 = [\"${clh_path}\"]|" "${config_path}"
|
||||||
sed -i -E "s|(path) = \".+/cloud-hypervisor\"|\1 = \"${clh_path}\"|" "${config_path}"
|
sed -i -E "s|(path) = \".+/cloud-hypervisor\"|\1 = \"${clh_path}\"|" "${config_path}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ "${CREATE_RUNTIMECLASSES}" == "true" ]]; then
|
||||||
|
create_runtimeclasses
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
function wait_till_node_is_ready() {
|
function wait_till_node_is_ready() {
|
||||||
@@ -174,6 +213,10 @@ function cleanup_different_shims_base() {
|
|||||||
|
|
||||||
rm "${default_shim_file}" || true
|
rm "${default_shim_file}" || true
|
||||||
restore_shim "${default_shim_file}"
|
restore_shim "${default_shim_file}"
|
||||||
|
|
||||||
|
if [[ "${CREATE_RUNTIMECLASSES}" == "true" ]]; then
|
||||||
|
delete_runtimeclasses
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
function configure_crio_runtime() {
|
function configure_crio_runtime() {
|
||||||
|
|||||||
Reference in New Issue
Block a user