From 0e157be6f2ddb9bfcacc3c67a35f4e9c53dd7273 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 21 Jul 2023 13:41:55 +0200 Subject: [PATCH] kata-deploy: Allow runtimeclasses to be created by the daemonset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's allow the daemonset to create the runtimeclasses, which will decrease one manual step a user of kata-deploy should take, and also help us in the Confidential Containers land as the Operator can just delegate it to this script. Fixes: #7409 Signed-off-by: Fabiano FidĂȘncio --- tools/packaging/kata-deploy/Dockerfile | 1 + .../kata-cleanup/base/kata-cleanup.yaml | 6 ++- .../kata-deploy/base/kata-deploy.yaml | 6 ++- .../kata-deploy/kata-rbac/base/kata-rbac.yaml | 14 +++--- .../kata-deploy/scripts/kata-deploy.sh | 43 +++++++++++++++++++ 5 files changed, 62 insertions(+), 8 deletions(-) diff --git a/tools/packaging/kata-deploy/Dockerfile b/tools/packaging/kata-deploy/Dockerfile index f8b9edf4caf9..8e7f6e2ac119 100644 --- a/tools/packaging/kata-deploy/Dockerfile +++ b/tools/packaging/kata-deploy/Dockerfile @@ -28,3 +28,4 @@ tar xvf ${WORKDIR}/${KATA_ARTIFACTS} -C ${DESTINATION} && \ rm -f ${WORKDIR}/${KATA_ARTIFACTS} COPY scripts ${DESTINATION}/scripts +COPY runtimeclasses ${DESTINATION}/runtimeclasses diff --git a/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml b/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml index 9ef9e04faa14..36d1b9b5b892 100644 --- a/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml +++ b/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml @@ -13,7 +13,7 @@ spec: labels: name: kubelet-kata-cleanup spec: - serviceAccountName: kata-label-node + serviceAccountName: kata-deploy-sa nodeSelector: katacontainers.io/kata-runtime: cleanup containers: @@ -32,6 +32,10 @@ spec: value: "clh dragonball fc qemu-nvidia-gpu qemu-sev qemu-snp qemu-tdx qemu" - name: DEFAULT_SHIM value: "qemu" + - name: CREATE_RUNTIMECLASSES + value: "false" + - name: CREATE_DEFAULT_RUNTIMECLASS + value: "false" securityContext: privileged: true volumeMounts: diff --git a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml index ccab22c3447f..5431a47fae1e 100644 --- a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml +++ b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml @@ -13,7 +13,7 @@ spec: labels: name: kata-deploy spec: - serviceAccountName: kata-label-node + serviceAccountName: kata-deploy-sa containers: - name: kube-kata image: quay.io/kata-containers/kata-deploy:latest @@ -34,6 +34,10 @@ spec: value: "clh dragonball fc qemu qemu-nvidia-gpu qemu-sev qemu-snp qemu-tdx" - name: DEFAULT_SHIM value: "qemu" + - name: CREATE_RUNTIMECLASSES + value: "false" + - name: CREATE_DEFAULT_RUNTIMECLASS + value: "false" securityContext: privileged: true volumeMounts: diff --git a/tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml b/tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml index 408b5be90718..3bde9f0a8dd5 100644 --- a/tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml +++ b/tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml @@ -2,28 +2,30 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: kata-label-node + name: kata-deploy-sa namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: node-labeler + name: kata-deploy-role rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "patch"] +- apiGroups: ["node.k8s.io"] + resources: ["runtimeclasses"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: kata-label-node-rb + name: kata-deploy-rb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: node-labeler + name: kata-deploy-role subjects: - kind: ServiceAccount - name: kata-label-node + name: kata-deploy-sa namespace: kube-system - diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh index 05f1af213815..a1eda4b64202 100755 --- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh @@ -29,6 +29,41 @@ function print_usage() { echo "Usage: $0 [install/cleanup/reset]" } +function create_runtimeclasses() { + echo "Creating the runtime classes" + + for shim in "${shims[@]}"; do + echo "Creating the kata-${shim} runtime class" + kubectl apply -f /opt/kata-artifacts/runtimeclasses/kata-${shim}.yaml + done + + if [[ "${CREATE_DEFAULT_RUNTIMECLASS}" == "true" ]]; then + echo "Creating the kata runtime class for the default shim (an alias for kata-${default_shim})" + cp /opt/kata-artifacts/runtimeclasses/kata-${default_shim}.yaml /tmp/kata.yaml + sed -i -e 's/kata-'${default_shim}'/kata/g' /tmp/kata.yaml + kubectl apply -f /tmp/kata.yaml + rm -f /tmp/kata.yaml + fi +} + +function delete_runtimeclasses() { + echo "Deleting the runtime classes" + + for shim in "${shims[@]}"; do + echo "Deleting the kata-${shim} runtime class" + kubectl delete -f /opt/kata-artifacts/runtimeclasses/kata-${shim}.yaml + done + + + if [[ "${CREATE_DEFAULT_RUNTIMECLASS}" == "true" ]]; then + echo "Deleting the kata runtime class for the default shim (an alias for kata-${default_shim})" + cp /opt/kata-artifacts/runtimeclasses/kata-${default_shim}.yaml /tmp/kata.yaml + sed -i -e 's/kata-'${default_shim}'/kata/g' /tmp/kata.yaml + kubectl delete -f /tmp/kata.yaml + rm -f /tmp/kata.yaml + fi +} + function get_container_runtime() { local runtime=$(kubectl get node $NODE_NAME -o jsonpath='{.status.nodeInfo.containerRuntimeVersion}') @@ -75,6 +110,10 @@ function install_artifacts() { sed -i -E "s|(valid_hypervisor_paths) = .+|\1 = [\"${clh_path}\"]|" "${config_path}" sed -i -E "s|(path) = \".+/cloud-hypervisor\"|\1 = \"${clh_path}\"|" "${config_path}" fi + + if [[ "${CREATE_RUNTIMECLASSES}" == "true" ]]; then + create_runtimeclasses + fi } function wait_till_node_is_ready() { @@ -174,6 +213,10 @@ function cleanup_different_shims_base() { rm "${default_shim_file}" || true restore_shim "${default_shim_file}" + + if [[ "${CREATE_RUNTIMECLASSES}" == "true" ]]; then + delete_runtimeclasses + fi } function configure_crio_runtime() {