From 16d7686d199bfeeba26be39ca9257fdb85b1800e Mon Sep 17 00:00:00 2001 From: SataQiu Date: Tue, 13 Aug 2024 12:04:37 +0800 Subject: [PATCH] fix rbac for vgpu monitor Signed-off-by: SataQiu --- volcano-vgpu-device-plugin-with-monitor.yml | 158 ++++++++++---------- volcano-vgpu-device-plugin.yml | 116 +++++++------- 2 files changed, 137 insertions(+), 137 deletions(-) diff --git a/volcano-vgpu-device-plugin-with-monitor.yml b/volcano-vgpu-device-plugin-with-monitor.yml index 869c122..7dabff0 100644 --- a/volcano-vgpu-device-plugin-with-monitor.yml +++ b/volcano-vgpu-device-plugin-with-monitor.yml @@ -24,24 +24,24 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: volcano-device-plugin rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list", "watch","update","patch"] - - apiGroups: [""] - resources: ["nodes/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "update","patch"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "update", "patch"] +- apiGroups: [""] + resources: ["nodes/status"] + verbs: ["patch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "update", "patch", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: volcano-device-plugin subjects: - - kind: ServiceAccount - name: volcano-device-plugin - namespace: kube-system +- kind: ServiceAccount + name: volcano-device-plugin + namespace: kube-system roleRef: kind: ClusterRole name: volcano-device-plugin @@ -82,95 +82,95 @@ spec: priorityClassName: "system-node-critical" serviceAccount: volcano-device-plugin containers: - - image: docker.io/projecthami/volcano-vgpu-device-plugin:v1.9.3 + - image: docker.io/projecthami/volcano-vgpu-device-plugin:v1.9.4 args: ["--device-split-count=10"] lifecycle: postStart: exec: - command: ["/bin/sh","-c","cp -f /k8s-vgpu/lib/nvidia/* /usr/local/vgpu/"] + command: ["/bin/sh", "-c", "cp -f /k8s-vgpu/lib/nvidia/* /usr/local/vgpu/"] name: volcano-device-plugin env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: HOOK_PATH - value: "/usr/local/vgpu" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOOK_PATH + value: "/usr/local/vgpu" securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] add: ["SYS_ADMIN"] volumeMounts: - - name: device-plugin - mountPath: /var/lib/kubelet/device-plugins - - name: lib - mountPath: /usr/local/vgpu - - name: hosttmp - mountPath: /tmp - - image: docker.io/projecthami/volcano-vgpu-device-plugin:v1.9.3 + - name: device-plugin + mountPath: /var/lib/kubelet/device-plugins + - name: lib + mountPath: /usr/local/vgpu + - name: hosttmp + mountPath: /tmp + - image: docker.io/projecthami/volcano-vgpu-device-plugin:v1.9.4 name: monitor command: - - /bin/bash - - -c - - volcano-vgpu-monitor + - /bin/bash + - -c + - volcano-vgpu-monitor env: - - name: NVIDIA_VISIBLE_DEVICES - value: "all" - - name: NVIDIA_MIG_MONITOR_DEVICES - value: "all" - - name: HOOK_PATH - value: "/tmp/vgpu" - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName + - name: NVIDIA_VISIBLE_DEVICES + value: "all" + - name: NVIDIA_MIG_MONITOR_DEVICES + value: "all" + - name: HOOK_PATH + value: "/tmp/vgpu" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] add: ["SYS_ADMIN"] volumeMounts: - - name: dockers - mountPath: /run/docker - - name: containerds - mountPath: /run/containerd - - name: sysinfo - mountPath: /sysinfo - - name: hostvar - mountPath: /hostvar - - name: hosttmp - mountPath: /tmp - volumes: - - hostPath: - path: /var/lib/kubelet/device-plugins - type: Directory - name: device-plugin - - hostPath: - path: /usr/local/vgpu - type: DirectoryOrCreate - name: lib - - name: hosttmp - hostPath: - path: /tmp - type: DirectoryOrCreate - name: dockers - hostPath: - path: /run/docker - type: DirectoryOrCreate + mountPath: /run/docker - name: containerds - hostPath: - path: /run/containerd - type: DirectoryOrCreate - - name: usrbin - hostPath: - path: /usr/bin - type: Directory + mountPath: /run/containerd - name: sysinfo - hostPath: - path: /sys - type: Directory + mountPath: /sysinfo - name: hostvar - hostPath: - path: /var - type: Directory + mountPath: /hostvar + - name: hosttmp + mountPath: /tmp + volumes: + - hostPath: + path: /var/lib/kubelet/device-plugins + type: Directory + name: device-plugin + - hostPath: + path: /usr/local/vgpu + type: DirectoryOrCreate + name: lib + - name: hosttmp + hostPath: + path: /tmp + type: DirectoryOrCreate + - name: dockers + hostPath: + path: /run/docker + type: DirectoryOrCreate + - name: containerds + hostPath: + path: /run/containerd + type: DirectoryOrCreate + - name: usrbin + hostPath: + path: /usr/bin + type: Directory + - name: sysinfo + hostPath: + path: /sys + type: Directory + - name: hostvar + hostPath: + path: /var + type: Directory diff --git a/volcano-vgpu-device-plugin.yml b/volcano-vgpu-device-plugin.yml index abd0f3d..64b0391 100644 --- a/volcano-vgpu-device-plugin.yml +++ b/volcano-vgpu-device-plugin.yml @@ -24,24 +24,24 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: volcano-device-plugin rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list", "watch","update","patch"] - - apiGroups: [""] - resources: ["nodes/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "update","patch"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "update", "patch"] +- apiGroups: [""] + resources: ["nodes/status"] + verbs: ["patch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: volcano-device-plugin subjects: - - kind: ServiceAccount - name: volcano-device-plugin - namespace: kube-system +- kind: ServiceAccount + name: volcano-device-plugin + namespace: kube-system roleRef: kind: ClusterRole name: volcano-device-plugin @@ -82,62 +82,62 @@ spec: priorityClassName: "system-node-critical" serviceAccount: volcano-device-plugin containers: - - image: docker.io/projecthami/volcano-vgpu-device-plugin:v1.9.3 + - image: docker.io/projecthami/volcano-vgpu-device-plugin:v1.9.4 args: ["--device-split-count=10"] lifecycle: postStart: exec: - command: ["/bin/sh","-c","cp -f /k8s-vgpu/lib/nvidia/* /usr/local/vgpu/"] + command: ["/bin/sh", "-c", "cp -f /k8s-vgpu/lib/nvidia/* /usr/local/vgpu/"] name: volcano-device-plugin env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: HOOK_PATH - value: "/usr/local/vgpu" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOOK_PATH + value: "/usr/local/vgpu" securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] add: ["SYS_ADMIN"] volumeMounts: - - name: device-plugin - mountPath: /var/lib/kubelet/device-plugins - - name: lib - mountPath: /usr/local/vgpu - - name: hosttmp - mountPath: /tmp - volumes: - - hostPath: - path: /var/lib/kubelet/device-plugins - type: Directory - name: device-plugin - - hostPath: - path: /usr/local/vgpu - type: DirectoryOrCreate - name: lib + - name: device-plugin + mountPath: /var/lib/kubelet/device-plugins + - name: lib + mountPath: /usr/local/vgpu - name: hosttmp - hostPath: - path: /tmp - type: DirectoryOrCreate - - name: dockers - hostPath: - path: /run/docker - type: DirectoryOrCreate - - name: containerds - hostPath: - path: /run/containerd - type: DirectoryOrCreate - - name: usrbin - hostPath: - path: /usr/bin - type: Directory - - name: sysinfo - hostPath: - path: /sys - type: Directory - - name: hostvar - hostPath: - path: /var - type: Directory + mountPath: /tmp + volumes: + - hostPath: + path: /var/lib/kubelet/device-plugins + type: Directory + name: device-plugin + - hostPath: + path: /usr/local/vgpu + type: DirectoryOrCreate + name: lib + - name: hosttmp + hostPath: + path: /tmp + type: DirectoryOrCreate + - name: dockers + hostPath: + path: /run/docker + type: DirectoryOrCreate + - name: containerds + hostPath: + path: /run/containerd + type: DirectoryOrCreate + - name: usrbin + hostPath: + path: /usr/bin + type: Directory + - name: sysinfo + hostPath: + path: /sys + type: Directory + - name: hostvar + hostPath: + path: /var + type: Directory