kata-deploy: Allow runtimeclasses to be created by the daemonset

Let's allow the daemonset to create the runtimeclasses, which will decrease one manual step a user of kata-deploy should take, and also help us in the Confidential Containers land as the Operator can just delegate it to this script. Fixes: #7409 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2025-04-29 20:24:31 +00:00 · 2023-07-21 13:41:55 +02:00 · 2023-07-21 13:41:55 +02:00 · 0e157be6f2
commit 0e157be6f2
parent a274333248
5 changed files with 62 additions and 8 deletions
--- a/tools/packaging/kata-deploy/Dockerfile
+++ b/tools/packaging/kata-deploy/Dockerfile
@ -28,3 +28,4 @@ tar xvf ${WORKDIR}/${KATA_ARTIFACTS} -C ${DESTINATION} && \
 rm -f ${WORKDIR}/${KATA_ARTIFACTS}

 COPY scripts ${DESTINATION}/scripts
+COPY runtimeclasses ${DESTINATION}/runtimeclasses
--- a/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
+++ b/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
@ -13,7 +13,7 @@ spec:
        labels:
          name: kubelet-kata-cleanup
    spec:
-      serviceAccountName: kata-label-node
+      serviceAccountName: kata-deploy-sa
      nodeSelector:
          katacontainers.io/kata-runtime: cleanup
      containers:
@ -32,6 +32,10 @@ spec:
          value: "clh dragonball fc qemu-nvidia-gpu qemu-sev qemu-snp qemu-tdx qemu"
        - name: DEFAULT_SHIM
          value: "qemu"
+        - name: CREATE_RUNTIMECLASSES
+          value: "false"
+        - name: CREATE_DEFAULT_RUNTIMECLASS
+          value: "false"
        securityContext:
          privileged: true
        volumeMounts:
--- a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+++ b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
@ -13,7 +13,7 @@ spec:
        labels:
          name: kata-deploy
    spec:
-      serviceAccountName: kata-label-node
+      serviceAccountName: kata-deploy-sa
      containers:
      - name: kube-kata
        image: quay.io/kata-containers/kata-deploy:latest
@ -34,6 +34,10 @@ spec:
          value: "clh dragonball fc qemu qemu-nvidia-gpu qemu-sev qemu-snp qemu-tdx"
        - name: DEFAULT_SHIM
          value: "qemu"
+        - name: CREATE_RUNTIMECLASSES
+          value: "false"
+        - name: CREATE_DEFAULT_RUNTIMECLASS
+          value: "false"
        securityContext:
          privileged: true
        volumeMounts:
--- a/tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
+++ b/tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
@ -2,28 +2,30 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: kata-label-node
+  name: kata-deploy-sa
  namespace: kube-system
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: node-labeler
+  name: kata-deploy-role
 rules:
 - apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "patch"]
+- apiGroups: ["node.k8s.io"]
+  resources: ["runtimeclasses"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: kata-label-node-rb
+  name: kata-deploy-rb
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: node-labeler
+  name: kata-deploy-role
 subjects:
 - kind: ServiceAccount
-  name: kata-label-node
+  name: kata-deploy-sa
  namespace: kube-system
-
--- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh
+++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh
@ -29,6 +29,41 @@ function print_usage() {
 	echo "Usage: $0 [install/cleanup/reset]"
 }

+function create_runtimeclasses() {
+	echo "Creating the runtime classes"
+
+	for shim in "${shims[@]}"; do
+		echo "Creating the kata-${shim} runtime class"
+		kubectl apply -f /opt/kata-artifacts/runtimeclasses/kata-${shim}.yaml
+	done
+
+	if [[ "${CREATE_DEFAULT_RUNTIMECLASS}" == "true" ]]; then
+		echo "Creating the kata runtime class for the default shim (an alias for kata-${default_shim})"
+		cp /opt/kata-artifacts/runtimeclasses/kata-${default_shim}.yaml /tmp/kata.yaml
+		sed -i -e 's/kata-'${default_shim}'/kata/g' /tmp/kata.yaml
+		kubectl apply -f /tmp/kata.yaml
+		rm -f /tmp/kata.yaml
+	fi
+}
+
+function delete_runtimeclasses() {
+	echo "Deleting the runtime classes"
+
+	for shim in "${shims[@]}"; do
+		echo "Deleting the kata-${shim} runtime class"
+		kubectl delete -f /opt/kata-artifacts/runtimeclasses/kata-${shim}.yaml
+	done
+
+
+	if [[ "${CREATE_DEFAULT_RUNTIMECLASS}" == "true" ]]; then
+		echo "Deleting the kata runtime class for the default shim (an alias for kata-${default_shim})"
+		cp /opt/kata-artifacts/runtimeclasses/kata-${default_shim}.yaml /tmp/kata.yaml
+		sed -i -e 's/kata-'${default_shim}'/kata/g' /tmp/kata.yaml
+		kubectl delete -f /tmp/kata.yaml
+		rm -f /tmp/kata.yaml
+	fi
+}
+
 function get_container_runtime() {

 	local runtime=$(kubectl get node $NODE_NAME -o jsonpath='{.status.nodeInfo.containerRuntimeVersion}')
@ -75,6 +110,10 @@ function install_artifacts() {
 		sed -i -E "s|(valid_hypervisor_paths) = .+|\1 = [\"${clh_path}\"]|" "${config_path}"
 		sed -i -E "s|(path) = \".+/cloud-hypervisor\"|\1 = \"${clh_path}\"|" "${config_path}"
 	fi
+
+	if [[ "${CREATE_RUNTIMECLASSES}" == "true" ]]; then
+		create_runtimeclasses
+	fi
 }

 function wait_till_node_is_ready() {
@ -174,6 +213,10 @@ function cleanup_different_shims_base() {

 	rm "${default_shim_file}" || true
 	restore_shim "${default_shim_file}"
+
+	if [[ "${CREATE_RUNTIMECLASSES}" == "true" ]]; then
+		delete_runtimeclasses
+	fi
 }

 function configure_crio_runtime() {