From f634e01672602035e5447edf80d07c1d2e5d6bf1 Mon Sep 17 00:00:00 2001 From: Rouke Broersma Date: Sat, 29 Mar 2025 20:37:59 +0100 Subject: [PATCH 01/10] Namespace should use namespace template Signed-off-by: Rouke Broersma --- .../templates/resource-driver-namespace.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml b/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml index a57604a..07558b4 100644 --- a/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml +++ b/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: intel-gpu-resource-driver + name: {{ include "intel-gpu-resource-driver.namespace" . }} From f1a4f7e18334086e080c7e9d16a2583be225b7de Mon Sep 17 00:00:00 2001 From: Rouke Broersma Date: Sat, 29 Mar 2025 20:38:48 +0100 Subject: [PATCH 02/10] Add pod security label to resource driver namespace because hostpath requires privileged Signed-off-by: Rouke Broersma --- .../templates/resource-driver-namespace.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml b/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml index 07558b4..6781d86 100644 --- a/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml +++ b/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml @@ -2,3 +2,5 @@ apiVersion: v1 kind: Namespace metadata: name: {{ include "intel-gpu-resource-driver.namespace" . }} + labels: + pod-security.kubernetes.io/enforce: privileged From 23e9bf4e56cff8f01574de06f86453c581073a5d Mon Sep 17 00:00:00 2001 From: Rouke Broersma Date: Sat, 29 Mar 2025 20:43:59 +0100 Subject: [PATCH 03/10] nfd: Allow deploying node feature rules without deploying nfd Signed-off-by: Rouke Broersma --- .../templates/{nfd.yaml => node-feature-rules.yaml} | 2 +- .../templates/resource-driver.yaml | 2 +- charts/intel-gpu-resource-driver/values.yaml | 7 ++++--- 3 files changed, 6 insertions(+), 5 deletions(-) rename charts/intel-gpu-resource-driver/templates/{nfd.yaml => node-feature-rules.yaml} (97%) diff --git a/charts/intel-gpu-resource-driver/templates/nfd.yaml b/charts/intel-gpu-resource-driver/templates/node-feature-rules.yaml similarity index 97% rename from charts/intel-gpu-resource-driver/templates/nfd.yaml rename to charts/intel-gpu-resource-driver/templates/node-feature-rules.yaml index 322b399..020c9d6 100644 --- a/charts/intel-gpu-resource-driver/templates/nfd.yaml +++ b/charts/intel-gpu-resource-driver/templates/node-feature-rules.yaml @@ -1,4 +1,4 @@ -{{- if .Values.nfd.enabled }} +{{- if or .Values.nodeFeatureRules.enabled .Values.nfd.enabled }} apiVersion: nfd.k8s-sigs.io/v1alpha1 kind: NodeFeatureRule metadata: diff --git a/charts/intel-gpu-resource-driver/templates/resource-driver.yaml b/charts/intel-gpu-resource-driver/templates/resource-driver.yaml index 400c471..ebe7791 100644 --- a/charts/intel-gpu-resource-driver/templates/resource-driver.yaml +++ b/charts/intel-gpu-resource-driver/templates/resource-driver.yaml @@ -73,7 +73,7 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.nfd.enabled }} + {{- if or .Values.nodeFeatureRules.enabled .Values.nfd.enabled }} nodeSelector: intel.feature.node.kubernetes.io/gpu: "true" {{- else }} diff --git a/charts/intel-gpu-resource-driver/values.yaml b/charts/intel-gpu-resource-driver/values.yaml index 0613473..122c22f 100644 --- a/charts/intel-gpu-resource-driver/values.yaml +++ b/charts/intel-gpu-resource-driver/values.yaml @@ -19,9 +19,7 @@ serviceAccount: kubeletPlugin: podAnnotations: {} - nodeSelector: {} - # label used when nfd.enabled is true - #intel.feature.node.kubernetes.io/gpu: "true" + nodeSelector: {} # ignored when .Values.nodeFeatureRules.enabled or .Values.nfd.enabled tolerations: - key: node-role.kubernetes.io/master operator: Exists @@ -37,6 +35,9 @@ kubeletPlugin: effect: "NoSchedule" affinity: {} +nodeFeatureRules: + enabled: false + nfd: enabled: false # change to true to install NFD to the cluster nameOverride: intel-gpu-nfd From 7d6c8d300b62f82486ba4b0d7ba38520f66629f6 Mon Sep 17 00:00:00 2001 From: Rouke Broersma Date: Sat, 29 Mar 2025 20:47:58 +0100 Subject: [PATCH 04/10] Validating admission policy should not have hardcoded service account, use template functions instead Signed-off-by: Rouke Broersma --- .../templates/validating-admission-policy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml b/charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml index 503aeb5..712a7dd 100644 --- a/charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml +++ b/charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml @@ -13,7 +13,7 @@ spec: matchConditions: - name: isRestrictedUser expression: >- - request.userInfo.username == "system:serviceaccount:intel-gpu-resource-driver:intel-gpu-resource-driver-service-account" + request.userInfo.username == "system:serviceaccount:{{ include "intel-gpu-resource-driver.namespace" . }}:{{ include "intel-gpu-resource-driver.serviceAccountName" . }}" variables: - name: userNodeName expression: >- From b531521813e046da4038b89b987c5db6049b2288 Mon Sep 17 00:00:00 2001 From: Rouke Broersma Date: Sat, 29 Mar 2025 20:57:12 +0100 Subject: [PATCH 05/10] Make cdi spec dirs paths configurable Signed-off-by: Rouke Broersma --- .../intel-gpu-resource-driver/templates/resource-driver.yaml | 4 ++-- charts/intel-gpu-resource-driver/values.yaml | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/charts/intel-gpu-resource-driver/templates/resource-driver.yaml b/charts/intel-gpu-resource-driver/templates/resource-driver.yaml index ebe7791..3e09f89 100644 --- a/charts/intel-gpu-resource-driver/templates/resource-driver.yaml +++ b/charts/intel-gpu-resource-driver/templates/resource-driver.yaml @@ -62,10 +62,10 @@ spec: path: /var/lib/kubelet/plugins - name: cdi hostPath: - path: /etc/cdi + path: {{ .Values.cdi.staticPath }} - name: varruncdi hostPath: - path: /var/run/cdi + path: {{ .Values.cdi.dynamicPath}} - name: sysfs hostPath: path: /sys diff --git a/charts/intel-gpu-resource-driver/values.yaml b/charts/intel-gpu-resource-driver/values.yaml index 122c22f..ec23c4e 100644 --- a/charts/intel-gpu-resource-driver/values.yaml +++ b/charts/intel-gpu-resource-driver/values.yaml @@ -35,6 +35,10 @@ kubeletPlugin: effect: "NoSchedule" affinity: {} +cdi: + staticPath: /etc/cdi + dynamicPath: /var/run/cdi + nodeFeatureRules: enabled: false From 9d0d3ba3ed6d9373193baf352f42d2a500f86fd6 Mon Sep 17 00:00:00 2001 From: Rouke Broersma Date: Sat, 29 Mar 2025 20:59:33 +0100 Subject: [PATCH 06/10] serviceAccount is deprecated and should not be hardcoded, serviceAccountName is sufficient Signed-off-by: Rouke Broersma --- charts/intel-gpu-resource-driver/templates/resource-driver.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/intel-gpu-resource-driver/templates/resource-driver.yaml b/charts/intel-gpu-resource-driver/templates/resource-driver.yaml index 3e09f89..29a74b5 100644 --- a/charts/intel-gpu-resource-driver/templates/resource-driver.yaml +++ b/charts/intel-gpu-resource-driver/templates/resource-driver.yaml @@ -14,7 +14,6 @@ spec: labels: app: intel-gpu-resource-driver spec: - serviceAccount: intel-gpu-resource-driver-service-account serviceAccountName: {{ include "intel-gpu-resource-driver.serviceAccountName" . }} containers: - name: kubelet-plugin From b143b330eb8c61f2e1d84e5c68af7bdf5a715a6f Mon Sep 17 00:00:00 2001 From: Rouke Broersma Date: Sat, 29 Mar 2025 21:04:59 +0100 Subject: [PATCH 07/10] Remove default values for namespaceOverride and serviceAccount to use default helper functions instead Signed-off-by: Rouke Broersma --- charts/intel-gpu-resource-driver/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/intel-gpu-resource-driver/values.yaml b/charts/intel-gpu-resource-driver/values.yaml index ec23c4e..0660675 100644 --- a/charts/intel-gpu-resource-driver/values.yaml +++ b/charts/intel-gpu-resource-driver/values.yaml @@ -1,6 +1,6 @@ # Default values for intel-gpu-resource-driver. nameOverride: "" -namespaceOverride: "intel-gpu-resource-driver" +namespaceOverride: "" fullnameOverride: "" selectorLabelsOverride: {} @@ -14,7 +14,7 @@ image: serviceAccount: create: true annotations: {} - name: intel-gpu-resource-driver-service-account + name: "" automount: true kubeletPlugin: From 49701062a08d3c9b60566a71088c535453e33e8d Mon Sep 17 00:00:00 2001 From: Alexey Fomenko Date: Wed, 9 Apr 2025 11:17:16 +0300 Subject: [PATCH 08/10] Switch to only using namespace name from Values Signed-off-by: Alexey Fomenko --- charts/intel-gpu-resource-driver/templates/_helpers.tpl | 4 ---- charts/intel-gpu-resource-driver/templates/clusterrole.yaml | 2 +- .../templates/clusterrolebinding.yaml | 4 ++-- .../templates/resource-driver-namespace.yaml | 2 +- .../intel-gpu-resource-driver/templates/resource-driver.yaml | 2 +- .../intel-gpu-resource-driver/templates/serviceaccount.yaml | 2 +- .../templates/validating-admission-policy.yaml | 2 +- charts/intel-gpu-resource-driver/values.yaml | 3 ++- 8 files changed, 9 insertions(+), 12 deletions(-) diff --git a/charts/intel-gpu-resource-driver/templates/_helpers.tpl b/charts/intel-gpu-resource-driver/templates/_helpers.tpl index 01c4419..58b22b3 100644 --- a/charts/intel-gpu-resource-driver/templates/_helpers.tpl +++ b/charts/intel-gpu-resource-driver/templates/_helpers.tpl @@ -20,10 +20,6 @@ intel-gpu-resource-driver {{- end -}} {{- end }} -{{- define "intel-gpu-resource-driver.namespace" -}} -{{- default .Release.Namespace .Values.namespaceOverride }} -{{- end }} - {{/* Labels for templates */}} {{- define "intel-gpu-resource-driver.labels" -}} helm.sh/chart: {{ include "intel-gpu-resource-driver.chart" . }} diff --git a/charts/intel-gpu-resource-driver/templates/clusterrole.yaml b/charts/intel-gpu-resource-driver/templates/clusterrole.yaml index a4ff6a7..60bb528 100644 --- a/charts/intel-gpu-resource-driver/templates/clusterrole.yaml +++ b/charts/intel-gpu-resource-driver/templates/clusterrole.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "intel-gpu-resource-driver.clusterRoleName" . }} - namespace: {{ include "intel-gpu-resource-driver.namespace" . }} + namespace: {{ .Values.namespace }} rules: - apiGroups: [""] resources: ["nodes"] diff --git a/charts/intel-gpu-resource-driver/templates/clusterrolebinding.yaml b/charts/intel-gpu-resource-driver/templates/clusterrolebinding.yaml index 20b387d..748f5ce 100644 --- a/charts/intel-gpu-resource-driver/templates/clusterrolebinding.yaml +++ b/charts/intel-gpu-resource-driver/templates/clusterrolebinding.yaml @@ -2,11 +2,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "intel-gpu-resource-driver.clusterRoleBindingName" . }} - namespace: {{ include "intel-gpu-resource-driver.namespace" . }} + namespace: {{ .Values.namespace }} subjects: - kind: ServiceAccount name: {{ include "intel-gpu-resource-driver.serviceAccountName" . }} - namespace: {{ include "intel-gpu-resource-driver.namespace" . }} + namespace: {{ .Values.namespace }} roleRef: kind: ClusterRole name: {{ include "intel-gpu-resource-driver.clusterRoleName" . }} diff --git a/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml b/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml index 6781d86..53af120 100644 --- a/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml +++ b/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml @@ -1,6 +1,6 @@ apiVersion: v1 kind: Namespace metadata: - name: {{ include "intel-gpu-resource-driver.namespace" . }} + name: {{ .Values.namespace }} labels: pod-security.kubernetes.io/enforce: privileged diff --git a/charts/intel-gpu-resource-driver/templates/resource-driver.yaml b/charts/intel-gpu-resource-driver/templates/resource-driver.yaml index 29a74b5..c0ac46e 100644 --- a/charts/intel-gpu-resource-driver/templates/resource-driver.yaml +++ b/charts/intel-gpu-resource-driver/templates/resource-driver.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: intel-gpu-resource-driver-kubelet-plugin - namespace: {{ include "intel-gpu-resource-driver.namespace" . }} + namespace: {{ .Values.namespace }} labels: {{- include "intel-gpu-resource-driver.labels" . | nindent 4 }} spec: diff --git a/charts/intel-gpu-resource-driver/templates/serviceaccount.yaml b/charts/intel-gpu-resource-driver/templates/serviceaccount.yaml index 1c88089..552a120 100644 --- a/charts/intel-gpu-resource-driver/templates/serviceaccount.yaml +++ b/charts/intel-gpu-resource-driver/templates/serviceaccount.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "intel-gpu-resource-driver.serviceAccountName" . }} - namespace: {{ include "intel-gpu-resource-driver.namespace" . }} + namespace: {{ .Values.namespace }} labels: {{- include "intel-gpu-resource-driver.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml b/charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml index 712a7dd..8dabe5e 100644 --- a/charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml +++ b/charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml @@ -13,7 +13,7 @@ spec: matchConditions: - name: isRestrictedUser expression: >- - request.userInfo.username == "system:serviceaccount:{{ include "intel-gpu-resource-driver.namespace" . }}:{{ include "intel-gpu-resource-driver.serviceAccountName" . }}" + request.userInfo.username == "system:serviceaccount:{{ .Values.namespace }}:{{ include "intel-gpu-resource-driver.serviceAccountName" . }}" variables: - name: userNodeName expression: >- diff --git a/charts/intel-gpu-resource-driver/values.yaml b/charts/intel-gpu-resource-driver/values.yaml index 0660675..4ff26a6 100644 --- a/charts/intel-gpu-resource-driver/values.yaml +++ b/charts/intel-gpu-resource-driver/values.yaml @@ -1,9 +1,10 @@ # Default values for intel-gpu-resource-driver. nameOverride: "" -namespaceOverride: "" fullnameOverride: "" selectorLabelsOverride: {} +namespace: "intel-gpu-resource-driver" + imagePullSecrets: [] image: repository: intel From e58403e4b5fb2359b32d7aaf6549bc9d50712dfa Mon Sep 17 00:00:00 2001 From: Alexey Fomenko Date: Mon, 14 Apr 2025 12:39:07 +0300 Subject: [PATCH 09/10] Update GPU chart docs Signed-off-by: Alexey Fomenko --- charts/intel-gpu-resource-driver/README.md | 19 ++++++++++++++++--- doc/gpu/USAGE.md | 16 +++------------- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/charts/intel-gpu-resource-driver/README.md b/charts/intel-gpu-resource-driver/README.md index f00f276..4e27f23 100644 --- a/charts/intel-gpu-resource-driver/README.md +++ b/charts/intel-gpu-resource-driver/README.md @@ -9,10 +9,22 @@ More info: [Intel Resource Drivers for Kubernetes](https://github.com/intel/inte ## Installing the chart +> [!WARNING] +> `--namespace` and `--create-namespace` Helm parameters should not be used. The chart creates a +> workspace with a security label that will not be created when using `--create-namespace` +> parameter, and when using `--namespace` option, Helm will ensure that the namespace exists before +> processing templates. + +To change the target namespace from default `intel-gpu-resource-driver` to something else, use Helm +parameter to change the value: ``` -helm install intel-gpu-resource-driver oci://ghcr.io/intel/intel-resource-drivers-for-kubernetes/intel-gpu-resource-driver \ - --create-namespace \ - --namespace intel-gpu-resource-driver +helm install \ + --set namespace="new-namespace" \ + intel-gpu-resource-driver oci://ghcr.io/intel/intel-resource-drivers-for-kubernetes/intel-gpu-resource-driver +``` + +``` +helm install intel-gpu-resource-driver oci://ghcr.io/intel/intel-resource-drivers-for-kubernetes/intel-gpu-resource-driver ``` ## Uninstalling the chart @@ -39,3 +51,4 @@ You may also run `helm show values` on this chart's dependencies for additional | image.name | string | `"intel-gpu-resource-driver"` | | image.pullPolicy | string | `"IfNotPresent"` | | image.tag | string | `"v0.7.0"` | +| namespace | string | "intel-gpu-resource-driver" | diff --git a/doc/gpu/USAGE.md b/doc/gpu/USAGE.md index eb3a872..63ae30e 100644 --- a/doc/gpu/USAGE.md +++ b/doc/gpu/USAGE.md @@ -273,17 +273,7 @@ Unlike with normal GPU ResourceClaims: * Monitor deployment gets access to all GPU devices on a node * `adminAccess` ResourceClaim allocations are not counted by scheduler as consumed resource, and can be allocated to workloads -### Helm Charts +### Helm Chart -[Intel GPU Resource Driver Helm Chart](https://github.com/intel/helm-charts/tree/main/charts/intel-gpu-resource-driver) is located in Intel Helm Charts repository. - -To add repo: -``` -helm repo add intel https://intel.github.io/helm-charts -``` - -To install Helm Chart: -``` -helm install intel-gpu-resource-driver intel/intel-gpu-resource-driver \ ---create-namespace --namespace intel-gpu-resource-driver -``` +The [Intel GPU Resource Driver Helm Chart](../../charts/intel-gpu-resource-driver) is published +as a package to GitHub OCI registry, and can be installed directly with Helm. From dd0559a6c6c126803a5db7c3e62df19cca486a23 Mon Sep 17 00:00:00 2001 From: Alexey Fomenko Date: Wed, 23 Apr 2025 23:05:52 +0300 Subject: [PATCH 10/10] GPU chart: use Helm .Release.Namespace in templates Signed-off-by: Alexey Fomenko --- charts/intel-gpu-resource-driver/README.md | 22 +++++++++---------- .../templates/clusterrole.yaml | 2 +- .../templates/clusterrolebinding.yaml | 4 ++-- .../templates/resource-driver-namespace.yaml | 6 ----- .../templates/resource-driver.yaml | 2 +- .../templates/serviceaccount.yaml | 2 +- .../validating-admission-policy.yaml | 2 +- charts/intel-gpu-resource-driver/values.yaml | 2 -- 8 files changed, 17 insertions(+), 25 deletions(-) delete mode 100644 charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml diff --git a/charts/intel-gpu-resource-driver/README.md b/charts/intel-gpu-resource-driver/README.md index 4e27f23..a0b43c6 100644 --- a/charts/intel-gpu-resource-driver/README.md +++ b/charts/intel-gpu-resource-driver/README.md @@ -9,22 +9,23 @@ More info: [Intel Resource Drivers for Kubernetes](https://github.com/intel/inte ## Installing the chart -> [!WARNING] -> `--namespace` and `--create-namespace` Helm parameters should not be used. The chart creates a -> workspace with a security label that will not be created when using `--create-namespace` -> parameter, and when using `--namespace` option, Helm will ensure that the namespace exists before -> processing templates. - -To change the target namespace from default `intel-gpu-resource-driver` to something else, use Helm -parameter to change the value: ``` helm install \ - --set namespace="new-namespace" \ + --namespace "intel-gpu-resource-driver" \ + --create-namespace \ intel-gpu-resource-driver oci://ghcr.io/intel/intel-resource-drivers-for-kubernetes/intel-gpu-resource-driver ``` +> [!NOTE] +> For Kubernetes clusters using [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/), +> pre-create the namespace with the respective label allowing to use HostPath Volumes. + ``` -helm install intel-gpu-resource-driver oci://ghcr.io/intel/intel-resource-drivers-for-kubernetes/intel-gpu-resource-driver +kubectl create namespace intel-gpu-resource-driver +kubectl label --overwrite namespace intel-gpu-resource-driver pod-security.kubernetes.io/enforce=privileged +helm install \ + --namespace "intel-gpu-resource-driver" \ + intel-gpu-resource-driver oci://ghcr.io/intel/intel-resource-drivers-for-kubernetes/intel-gpu-resource-driver ``` ## Uninstalling the chart @@ -51,4 +52,3 @@ You may also run `helm show values` on this chart's dependencies for additional | image.name | string | `"intel-gpu-resource-driver"` | | image.pullPolicy | string | `"IfNotPresent"` | | image.tag | string | `"v0.7.0"` | -| namespace | string | "intel-gpu-resource-driver" | diff --git a/charts/intel-gpu-resource-driver/templates/clusterrole.yaml b/charts/intel-gpu-resource-driver/templates/clusterrole.yaml index 60bb528..e05ca20 100644 --- a/charts/intel-gpu-resource-driver/templates/clusterrole.yaml +++ b/charts/intel-gpu-resource-driver/templates/clusterrole.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "intel-gpu-resource-driver.clusterRoleName" . }} - namespace: {{ .Values.namespace }} + namespace: {{ .Release.Namespace }} rules: - apiGroups: [""] resources: ["nodes"] diff --git a/charts/intel-gpu-resource-driver/templates/clusterrolebinding.yaml b/charts/intel-gpu-resource-driver/templates/clusterrolebinding.yaml index 748f5ce..accedc2 100644 --- a/charts/intel-gpu-resource-driver/templates/clusterrolebinding.yaml +++ b/charts/intel-gpu-resource-driver/templates/clusterrolebinding.yaml @@ -2,11 +2,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "intel-gpu-resource-driver.clusterRoleBindingName" . }} - namespace: {{ .Values.namespace }} + namespace: {{ .Release.Namespace }} subjects: - kind: ServiceAccount name: {{ include "intel-gpu-resource-driver.serviceAccountName" . }} - namespace: {{ .Values.namespace }} + namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: {{ include "intel-gpu-resource-driver.clusterRoleName" . }} diff --git a/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml b/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml deleted file mode 100644 index 53af120..0000000 --- a/charts/intel-gpu-resource-driver/templates/resource-driver-namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Values.namespace }} - labels: - pod-security.kubernetes.io/enforce: privileged diff --git a/charts/intel-gpu-resource-driver/templates/resource-driver.yaml b/charts/intel-gpu-resource-driver/templates/resource-driver.yaml index c0ac46e..fad84e8 100644 --- a/charts/intel-gpu-resource-driver/templates/resource-driver.yaml +++ b/charts/intel-gpu-resource-driver/templates/resource-driver.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: intel-gpu-resource-driver-kubelet-plugin - namespace: {{ .Values.namespace }} + namespace: {{ .Release.Namespace }} labels: {{- include "intel-gpu-resource-driver.labels" . | nindent 4 }} spec: diff --git a/charts/intel-gpu-resource-driver/templates/serviceaccount.yaml b/charts/intel-gpu-resource-driver/templates/serviceaccount.yaml index 552a120..3046a48 100644 --- a/charts/intel-gpu-resource-driver/templates/serviceaccount.yaml +++ b/charts/intel-gpu-resource-driver/templates/serviceaccount.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "intel-gpu-resource-driver.serviceAccountName" . }} - namespace: {{ .Values.namespace }} + namespace: {{ .Release.Namespace }} labels: {{- include "intel-gpu-resource-driver.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml b/charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml index 8dabe5e..637c92c 100644 --- a/charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml +++ b/charts/intel-gpu-resource-driver/templates/validating-admission-policy.yaml @@ -13,7 +13,7 @@ spec: matchConditions: - name: isRestrictedUser expression: >- - request.userInfo.username == "system:serviceaccount:{{ .Values.namespace }}:{{ include "intel-gpu-resource-driver.serviceAccountName" . }}" + request.userInfo.username == "system:serviceaccount:{{ .Release.Namespace }}:{{ include "intel-gpu-resource-driver.serviceAccountName" . }}" variables: - name: userNodeName expression: >- diff --git a/charts/intel-gpu-resource-driver/values.yaml b/charts/intel-gpu-resource-driver/values.yaml index 4ff26a6..80c39d4 100644 --- a/charts/intel-gpu-resource-driver/values.yaml +++ b/charts/intel-gpu-resource-driver/values.yaml @@ -3,8 +3,6 @@ nameOverride: "" fullnameOverride: "" selectorLabelsOverride: {} -namespace: "intel-gpu-resource-driver" - imagePullSecrets: [] image: repository: intel