Merge pull request #873 from elezar/fix-caps

Add CAP_SYS_ADMIN if volume-mounts list strategy is included

.github/workflows/helm.yaml

@@ -12,37 +12,35 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Run this workflow on new tags
-name: Publish Helm Chart
+name: Helm
 
 on:
-  release:
+  pull_request:
     types:
-      - published
+      - opened
+      - synchronize
+    branches:
+      - main
+      - release-*
+  push:
+    branches:
+      - main
+      - release-*
 
 jobs:
-  update-helm-charts:
-    name: Update gh-pages branch helm charts and index
+  test:
+    name: Test
     runs-on: ubuntu-latest
-    env:
-      HELM_REPO_PATH: releases/helm-${{ github.event.release.tag_name }}/
     steps:
-    - name: Install Helm
-      uses: azure/[email protected]
-      with:
-        version: 3.14.4
-
-    - name: Check out repo
+    - name: Checkout code
       uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-
-    - name: Update helm index
+    - name: Get Golang version
+      id: vars
       run: |
-        git config user.name "Github Actions"
-        git config user.email "[email protected]"
-        ./hack/update-helm-index.sh --helm-repo-path $HELM_REPO_PATH --version ${{ github.event.release.tag_name }}
-
-    - name: Push updated Helm charts and index to gh-pages branch
-      run: |
-        git -C $HELM_REPO_PATH push https://${GITHUB_ACTOR}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} gh-pages
+        GOLANG_VERSION=$(./hack/golang-version.sh)
+        echo "GOLANG_VERSION=${GOLANG_VERSION##GOLANG_VERSION ?= }" >> $GITHUB_ENV
+    - name: Install Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ env.GOLANG_VERSION }}
+    - run: make test-helm

.github/workflows/publish-helm.yaml

@@ -0,0 +1,48 @@
+# Copyright 2024 NVIDIA CORPORATION
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Run this workflow on new tags
+name: Publish Helm Chart
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  update-helm-charts:
+    name: Update gh-pages branch helm charts and index
+    runs-on: ubuntu-latest
+    env:
+      HELM_REPO_PATH: releases/helm-${{ github.event.release.tag_name }}/
+    steps:
+    - name: Install Helm
+      uses: azure/[email protected]
+      with:
+        version: 3.14.4
+
+    - name: Check out repo
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Update helm index
+      run: |
+        git config user.name "Github Actions"
+        git config user.email "[email protected]"
+        ./hack/update-helm-index.sh --helm-repo-path $HELM_REPO_PATH --version ${{ github.event.release.tag_name }}
+
+    - name: Push updated Helm charts and index to gh-pages branch
+      run: |
+        git -C $HELM_REPO_PATH push https://${GITHUB_ACTOR}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} gh-pages

deployments/helm/nvidia-device-plugin/templates/_helpers.tpl

@@ -93,7 +93,7 @@ Security context for the plugin
 {{ toYaml .Values.securityContext }}
 {{- else if .Values.compatWithCPUManager -}}
 privileged: true
-{{- else if ne (include "nvidia-device-plugin.allPossibleMigStrategiesAreNone" .) "true" -}}
+{{- else if eq (include "nvidia-device-plugin.requiresCapSysAdmin" .) "true" -}}
 capabilities:
   add:
     - SYS_ADMIN
@@ -110,7 +110,7 @@ Security context for GFD
 {{- define "gpu-feature-discovery.securityContext" -}}
 {{- if ne (len .Values.gfd.securityContext) 0 -}}
 {{ toYaml .Values.gfd.securityContext }}
-{{- else if ne (include "nvidia-device-plugin.allPossibleMigStrategiesAreNone" .) "true" -}}
+{{- else if eq (include "nvidia-device-plugin.requiresCapSysAdmin" .) "true" -}}
 capabilities:
   add:
     - SYS_ADMIN
@@ -121,6 +121,19 @@ capabilities:
 {{- end -}}
 {{- end -}}
 
+{{/*
+Check whether the SYS_ADMIN capability should be included.
+*/}}
+{{- define "nvidia-device-plugin.requiresCapSysAdmin" -}}
+{{- $result := false -}}
+{{- if ne (include "nvidia-device-plugin.allPossibleMigStrategiesAreNone" .) "true" -}}
+  {{- $result = true -}}
+{{- else if eq (include "nvidia-device-plugin.deviceListStrategyIncludesVolumeMount" .) "true" -}}
+  {{- $result = true -}}
+{{- end -}}
+{{- $result -}}
+{{- end -}}
+
 {{/*
 Check if migStrategy (from all possible configurations) is "none"
 */}}
@@ -145,6 +158,32 @@ Check if migStrategy (from all possible configurations) is "none"
 {{- $result -}}
 {{- end }}
 
+{{/*
+Check if volume-mounts is included in the set of device-list-strategies
+*/}}
+{{- define "nvidia-device-plugin.deviceListStrategyIncludesVolumeMount" -}}
+{{- $result := false -}}
+{{- if .Values.deviceListStrategy -}}
+  {{- $result = ( contains "volume-mounts" .Values.deviceListStrategy ) -}}
+{{- else if eq (include "nvidia-device-plugin.hasConfigMap" .) "true" -}}
+    {{- $result = true -}}
+{{- else -}}
+  {{- range $name, $contents := $.Values.config.map -}}
+    {{- $config := $contents | fromYaml -}}
+    {{- if $config.flags -}}
+      {{- if $config.flags.plugin -}}
+        {{- if typeIs "string" $config.flags.plugin.deviceListStrategy }}
+          {{- $result = ( contains "volume-mounts" $config.flags.plugin.deviceListStrategy ) -}}
+        {{- else if typeIs "list" $config.flags.plugin.deviceListStrategy }}
+          {{- $result = ( has "volume-mounts" $config.flags.plugin.deviceListStrategy ) -}}
+        {{- end -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- $result -}}
+{{- end }}
+
 {{/*
 Check if an explicit set of configs has been provided or not
 */}}

deployments/helm/nvidia-device-plugin/templates/daemonset-device-plugin.yml

@@ -189,8 +189,6 @@ spec:
           - name: DEVICE_DISCOVERY_STRATEGY
             value: {{ .Values.deviceDiscoveryStrategy }}
         {{- end }}
-          - name: DEVICE_PLUGIN_MODE
-            value: "{{ .Values.devicePlugin.mode }}"
           - name: NVIDIA_VISIBLE_DEVICES
             value: all
           - name: NVIDIA_DRIVER_CAPABILITIES

tests/go.mod

@@ -3,9 +3,11 @@ module github.com/NVIDIA/k8s-device-plugin/tests
 go 1.22.2
 
 require (
+	github.com/gruntwork-io/terratest v0.47.0
 	github.com/mittwald/go-helm-client v0.12.10
 	github.com/onsi/ginkgo/v2 v2.19.1
 	github.com/onsi/gomega v1.34.1
+	github.com/stretchr/testify v1.9.0
 	k8s.io/api v0.30.2
 	k8s.io/apiextensions-apiserver v0.30.0
 	k8s.io/apimachinery v0.30.2
@@ -26,11 +28,14 @@ require (
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/Microsoft/hcsshim v0.11.4 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/aws/aws-sdk-go v1.44.122 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/containerd/containerd v1.7.12 // indirect
 	github.com/containerd/log v0.1.0 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/reference v0.5.0 // indirect
@@ -45,17 +50,25 @@ require (
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.20.2 // indirect
 	github.com/go-openapi/jsonreference v0.20.4 // indirect
 	github.com/go-openapi/swag v0.22.9 // indirect
+	github.com/go-sql-driver/mysql v1.6.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/gonvenience/bunt v1.3.5 // indirect
+	github.com/gonvenience/neat v1.3.12 // indirect
+	github.com/gonvenience/term v1.0.2 // indirect
+	github.com/gonvenience/text v1.0.7 // indirect
+	github.com/gonvenience/wrap v1.1.2 // indirect
+	github.com/gonvenience/ytbx v1.4.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
@@ -67,11 +80,14 @@ require (
 	github.com/gorilla/websocket v1.5.1 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/gruntwork-io/go-commons v0.8.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/homeport/dyff v1.6.0 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -80,13 +96,19 @@ require (
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-ciede2000 v0.0.0-20170301095244-782e8c62fec3 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect
 	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/hashstructure v1.1.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
@@ -100,19 +122,24 @@ require (
 	github.com/opencontainers/image-spec v1.1.0-rc6 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pquerna/otp v1.2.0 // indirect
 	github.com/prometheus/client_golang v1.18.0 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
 	github.com/prometheus/common v0.45.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rubenv/sql-migrate v1.6.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/cobra v1.8.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/testify v1.9.0 // indirect
+	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
+	github.com/urfave/cli v1.22.12 // indirect
+	github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect