Created
November 2, 2022 15:18
-
-
Save FahadBSyed/330fc72ac517b239610243d016414d9d to your computer and use it in GitHub Desktop.
Hello Fuse Kubernetes Manifests
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: hello-fuse | |
| labels: | |
| app: hello-fuse | |
| spec: | |
| containers: | |
| - name: hello-fuse | |
| image: hello-fuse:latest | |
| imagePullPolicy: Never | |
| # As of now, I am exec'ing into the pod and attempting to mount manually since its easier to debug and iterate | |
| command: ["sh", "-c", "--"] | |
| args: ["while true; do sleep 30; done"] | |
| securityContext: | |
| # This seems like what is necessary to be able to access /dev/fuse from the kubernetes node | |
| # See: https://github.com/kubernetes/kubernetes/issues/60748#issuecomment-507842465 | |
| privileged: true | |
| # This seems to indicate that the below runAs parameters are ignored: | |
| # https://discuss.kubernetes.io/t/write-permissions-on-volume-mount-with-security-context-fsgroup-option/16524/5 | |
| #runAsGroup: 1000 | |
| #runAsUser: 1000 | |
| # Seems like just adding the SYS_ADMIN linux capability is not enough. We still get a failed to open /dev/fuse | |
| #capabilities: | |
| # add: | |
| # - SYS_ADMIN | |
| volumeMounts: | |
| - mountPath: /dev/fuse | |
| name: fuse | |
| - mountPath: /pfs | |
| name: pachyderm-worker | |
| restartPolicy: OnFailure | |
| volumes: | |
| - name: fuse | |
| hostPath: | |
| path: /dev/fuse | |
| - emptyDir: { } | |
| name: pachyderm-worker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # You will need to label all your nodes with smart-device-manager=enabled to usethis. Alternatively, remove the label selector. | |
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: device-manager | |
| labels: | |
| name: device-manager | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: smarter-device-manager | |
| namespace: device-manager | |
| data: | |
| conf.yaml: | | |
| - devicematch: ^fuse$ | |
| nummaxdevices: 20 | |
| --- | |
| apiVersion: apps/v1 | |
| kind: DaemonSet | |
| metadata: | |
| name: smarter-device-manager | |
| namespace: device-manager | |
| labels: | |
| name: smarter-device-manager | |
| role: agent | |
| spec: | |
| selector: | |
| matchLabels: | |
| name: smarter-device-manager | |
| updateStrategy: | |
| type: RollingUpdate | |
| template: | |
| metadata: | |
| labels: | |
| name: smarter-device-manager | |
| annotations: | |
| node.kubernetes.io/bootstrap-checkpoint: "true" | |
| spec: | |
| nodeSelector: | |
| smarter-device-manager : enabled | |
| priorityClassName: "system-node-critical" | |
| hostname: smarter-device-management | |
| hostNetwork: true | |
| dnsPolicy: ClusterFirstWithHostNet | |
| containers: | |
| - name: smarter-device-manager | |
| image: registry.gitlab.com/arm-research/smarter/smarter-device-manager:v1.1.2 | |
| imagePullPolicy: IfNotPresent | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| capabilities: | |
| drop: ["ALL"] | |
| resources: | |
| limits: | |
| cpu: 100m | |
| memory: 15Mi | |
| requests: | |
| cpu: 10m | |
| memory: 15Mi | |
| volumeMounts: | |
| - name: device-plugin | |
| mountPath: /var/lib/kubelet/device-plugins | |
| - name: dev-dir | |
| mountPath: /dev | |
| - name: sys-dir | |
| mountPath: /sys | |
| - name: config | |
| mountPath: /root/config | |
| volumes: | |
| - name: device-plugin | |
| hostPath: | |
| path: /var/lib/kubelet/device-plugins | |
| - name: dev-dir | |
| hostPath: | |
| path: /dev | |
| - name: sys-dir | |
| hostPath: | |
| path: /sys | |
| - name: config | |
| configMap: | |
| name: smarter-device-manager | |
| terminationGracePeriodSeconds: 30 | |
| --- | |
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: hello-fuse | |
| labels: | |
| app: hello-fuse | |
| spec: | |
| # Notice we don't need to explicitly mount the /dev/fuse volume here. | |
| containers: | |
| - name: hello-fuse | |
| image: hello-fuse:latest | |
| imagePullPolicy: Never | |
| # As of now, I am exec'ing into the pod and attempting to mount manually since its easier to debug and iterate | |
| command: ["sh", "-c", "--"] | |
| args: ["while true; do sleep 30; done"] | |
| resources: | |
| limits: | |
| smarter-devices/fuse: 1 | |
| requests: | |
| smarter-devices/fuse: 1 | |
| securityContext: | |
| # This is slightly better, but still requires the SYS_ADMIN cap | |
| privileged: false | |
| runAsGroup: 1000 | |
| runAsUser: 1000 | |
| capabilities: | |
| add: | |
| - SYS_ADMIN | |
| volumeMounts: | |
| - mountPath: /pfs | |
| name: pachyderm-worker | |
| volumes: | |
| - emptyDir: { } | |
| name: pachyderm-worker | |
| restartPolicy: OnFailure |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment