From 41d41d51f7892b7a98f91ad62ae018b18d3bcf96 Mon Sep 17 00:00:00 2001 From: Gus Minto-Cowcher Date: Fri, 11 Jul 2025 13:58:21 +0100 Subject: [PATCH 1/4] helm: add nodeSelector support to kata-deploy chart - Add nodeSelector configuration to values.yaml with empty default - Update DaemonSet template to conditionally include nodeSelector - Add documentation and examples for nodeSelector usage in README - Allows users to restrict kata-containers deployment to specific nodes by labeling them Signed-off-by: Gus Minto-Cowcher --- .../kata-deploy/helm-chart/README.md | 27 +++++++++++++++++++ .../kata-deploy/templates/kata-deploy.yaml | 4 +++ .../helm-chart/kata-deploy/values.yaml | 8 +++++- 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/helm-chart/README.md b/tools/packaging/kata-deploy/helm-chart/README.md index 9939b85c62..ea1eb4b2fb 100644 --- a/tools/packaging/kata-deploy/helm-chart/README.md +++ b/tools/packaging/kata-deploy/helm-chart/README.md @@ -125,6 +125,7 @@ All values can be overridden with --set key=value or a custom `-f myvalues.yaml` | `image.reference` | Fully qualified image reference | `quay.io/kata-containers/kata-deploy` | | `image.tag` | Tag of the image reference | `""` | | `k8sDistribution` | Set the k8s distribution to use: `k8s`, `k0s`, `k3s`, `rke2`, `microk8s` | `k8s` | +| `nodeSelector` | Node labels for pod assignment. Allows restricting deployment to specific nodes | `{}` | | `env.debug` | Enable debugging in the `configuration.toml` | `false` | | `env.shims` | List of shims to deploy | `clh cloud-hypervisor dragonball fc qemu qemu-coco-dev qemu-runtime-rs qemu-se-runtime-rs qemu-sev qemu-snp qemu-tdx stratovirt qemu-nvidia-gpu qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx` | | `env.defaultShim` | The default shim to use if none specified | `qemu` | @@ -148,6 +149,32 @@ $ helm install kata-deploy \ "${CHART}" --version "${VERSION}" ``` +## Example: Deploy only to specific nodes using `nodeSelector` + +```sh +# First, label the nodes where you want kata-containers to be installed +$ kubectl label nodes worker-node-1 kata-containers=enabled +$ kubectl label nodes worker-node-2 kata-containers=enabled + +# Then install the chart with `nodeSelector` +$ helm install kata-deploy \ + --set nodeSelector.kata-containers="enabled" \ + "${CHART}" --version "${VERSION}" +``` + +You can also use a values file: + +```yaml +# values.yaml +nodeSelector: + kata-containers: "enabled" + node-type: "worker" +``` + +```sh +$ helm install kata-deploy -f values.yaml "${CHART}" --version "${VERSION}" +``` + ## Example: Multiple Kata installations on the same node For debugging, testing and other use-case it is possible to deploy multiple diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml index fb8b1f6729..7c23109e2a 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml @@ -32,6 +32,10 @@ spec: serviceAccountName: {{ .Chart.Name }}-sa-{{ .Values.env.multiInstallSuffix }} {{- else }} serviceAccountName: {{ .Chart.Name }}-sa +{{- end }} +{{- with .Values.nodeSelector }} + nodeSelector: +{{- toYaml . | nindent 8 }} {{- end }} hostPID: true containers: diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml index d2593adea9..aeabc59a15 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml @@ -5,9 +5,15 @@ image: tag: "" # k8s-dist can be k8s, k3s, rke2, k0s, microk8s k8sDistribution: "k8s" +# Node selector to control which nodes the kata-deploy daemonset runs on +# Example: +# nodeSelector: +# kata-containers: "enabled" +# node-type: "worker" +nodeSelector: {} env: debug: "false" - shims: "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev qemu-runtime-rs qemu-se-runtime-rs qemu-snp qemu-tdx stratovirt qemu-nvidia-gpu qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx" + shims: "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev qemu-runtime-rs qemu-se-runtime-rs qemu-sev qemu-snp qemu-tdx stratovirt qemu-nvidia-gpu qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx" defaultShim: "qemu" createRuntimeClasses: "true" createDefaultRuntimeClass: "false" From 3b5cd2aad6350403ed8709bd4e37a186b6410c6d Mon Sep 17 00:00:00 2001 From: Gus Minto-Cowcher Date: Fri, 11 Jul 2025 14:00:58 +0100 Subject: [PATCH 2/4] helm: remove qemu-sev references qemu-sev support has been removed, but those bits were left behind by mistake. Signed-off-by: Gus Minto-Cowcher --- tools/packaging/kata-deploy/helm-chart/README.md | 3 +-- tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/tools/packaging/kata-deploy/helm-chart/README.md b/tools/packaging/kata-deploy/helm-chart/README.md index ea1eb4b2fb..9651004023 100644 --- a/tools/packaging/kata-deploy/helm-chart/README.md +++ b/tools/packaging/kata-deploy/helm-chart/README.md @@ -127,7 +127,7 @@ All values can be overridden with --set key=value or a custom `-f myvalues.yaml` | `k8sDistribution` | Set the k8s distribution to use: `k8s`, `k0s`, `k3s`, `rke2`, `microk8s` | `k8s` | | `nodeSelector` | Node labels for pod assignment. Allows restricting deployment to specific nodes | `{}` | | `env.debug` | Enable debugging in the `configuration.toml` | `false` | -| `env.shims` | List of shims to deploy | `clh cloud-hypervisor dragonball fc qemu qemu-coco-dev qemu-runtime-rs qemu-se-runtime-rs qemu-sev qemu-snp qemu-tdx stratovirt qemu-nvidia-gpu qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx` | +| `env.shims` | List of shims to deploy | `clh cloud-hypervisor dragonball fc qemu qemu-coco-dev qemu-runtime-rs qemu-se-runtime-rs qemu-snp qemu-tdx stratovirt qemu-nvidia-gpu qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx` | | `env.defaultShim` | The default shim to use if none specified | `qemu` | | `env.createRuntimeClasses` | Create the k8s `runtimeClasses` | `true` | | `env.createDefaultRuntimeClass` | Create the default k8s `runtimeClass` | `false` | @@ -208,7 +208,6 @@ kata-qemu-nvidia-gpu-snp-cicd kata-qemu-nvidia-gpu-snp-cicd 77s kata-qemu-nvidia-gpu-tdx-cicd kata-qemu-nvidia-gpu-tdx-cicd 76s kata-qemu-runtime-rs-cicd kata-qemu-runtime-rs-cicd 77s kata-qemu-se-runtime-rs-cicd kata-qemu-se-runtime-rs-cicd 77s -kata-qemu-sev-cicd kata-qemu-sev-cicd 77s kata-qemu-snp-cicd kata-qemu-snp-cicd 77s kata-qemu-tdx-cicd kata-qemu-tdx-cicd 77s kata-stratovirt-cicd kata-stratovirt-cicd 77s diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml index aeabc59a15..71a3495c80 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml @@ -13,7 +13,7 @@ k8sDistribution: "k8s" nodeSelector: {} env: debug: "false" - shims: "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev qemu-runtime-rs qemu-se-runtime-rs qemu-sev qemu-snp qemu-tdx stratovirt qemu-nvidia-gpu qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx" + shims: "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev qemu-runtime-rs qemu-se-runtime-rs qemu-snp qemu-tdx stratovirt qemu-nvidia-gpu qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx" defaultShim: "qemu" createRuntimeClasses: "true" createDefaultRuntimeClass: "false" From 17ce44083c33565502b6ca0b1c25002b293be391 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 18 Jul 2025 12:21:29 +0200 Subject: [PATCH 3/4] runtime: Remove reference to sev package MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise it'll just break static checks. Signed-off-by: Fabiano FidĂȘncio --- src/runtime/pkg/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/src/runtime/pkg/README.md b/src/runtime/pkg/README.md index 72bf3248bb..b5b0d07d32 100644 --- a/src/runtime/pkg/README.md +++ b/src/runtime/pkg/README.md @@ -7,5 +7,4 @@ This repository contains a number of packages in addition to the |-|-| | [`katatestutils`](katatestutils) | Unit test utilities. | | [`katautils`](katautils) | Utilities. | -| [`sev`](sev) | AMD SEV confidential guest utilities. | | [`signals`](signals) | Signal handling functions. | From 497a3620c27ee0b9d428e9ab11fdd9b65b0d7e71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 18 Jul 2025 12:23:39 +0200 Subject: [PATCH 4/4] tests: Remove references to qemu-sev MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As it's been removed from our codebase. Signed-off-by: Fabiano FidĂȘncio --- tests/integration/kubernetes/gha-run.sh | 4 ++-- tests/integration/kubernetes/k8s-cpu-ns.bats | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index fe2106520c..cb0f760298 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -443,7 +443,7 @@ function cleanup() { } function deploy_snapshotter() { - if [[ "${KATA_HYPERVISOR}" == "qemu-tdx" || "${KATA_HYPERVISOR}" == "qemu-snp" || "${KATA_HYPERVISOR}" == "qemu-sev" ]]; then + if [[ "${KATA_HYPERVISOR}" == "qemu-tdx" || "${KATA_HYPERVISOR}" == "qemu-snp" ]]; then echo "[Skip] ${SNAPSHOTTER} is pre-installed in the TEE machine" return fi @@ -457,7 +457,7 @@ function deploy_snapshotter() { } function cleanup_snapshotter() { - if [[ "${KATA_HYPERVISOR}" == "qemu-tdx" || "${KATA_HYPERVISOR}" == "qemu-snp" || "${KATA_HYPERVISOR}" == "qemu-sev" ]]; then + if [[ "${KATA_HYPERVISOR}" == "qemu-tdx" || "${KATA_HYPERVISOR}" == "qemu-snp" ]]; then echo "[Skip] ${SNAPSHOTTER} is pre-installed in the TEE machine" return fi diff --git a/tests/integration/kubernetes/k8s-cpu-ns.bats b/tests/integration/kubernetes/k8s-cpu-ns.bats index bc8dc6ac83..e47fd44d22 100644 --- a/tests/integration/kubernetes/k8s-cpu-ns.bats +++ b/tests/integration/kubernetes/k8s-cpu-ns.bats @@ -15,7 +15,7 @@ setup() { [ "${KATA_HYPERVISOR}" == "cloud-hypervisor" ] && skip "https://github.com/kata-containers/kata-containers/issues/9039" [ "${KATA_HYPERVISOR}" == "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ - [ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ + [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ && skip "TEEs do not support memory / CPU hotplug" @@ -122,7 +122,7 @@ teardown() { [ "${KATA_HYPERVISOR}" == "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" [ "${KATA_HYPERVISOR}" == "cloud-hypervisor" ] && skip "https://github.com/kata-containers/kata-containers/issues/9039" ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ - [ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ + [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ && skip "TEEs do not support memory / CPU hotplug" # Debugging information