fix(gdp): fix deployment

- Deploy as daemonset - Remove tolerations (don't need it on control plane) - Run unprivileged (doesn't need it) - Use config file
jfroy · Oct 31, 2024 · 37a0f4d · 37a0f4d
1 parent 31c3d6d
commit 37a0f4d
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 16 deletions.
diff --git a/kubernetes/apps/kube-system/generic-device-plugin/app/configs/config.yaml b/kubernetes/apps/kube-system/generic-device-plugin/app/configs/config.yaml
@@ -0,0 +1,9 @@
+---
+log-level: info
+domain: kernel.org
+devices:
+  - name: tun
+    groups:
+      - count: 1000
+        paths:
+          - path: /dev/net/tun
diff --git a/kubernetes/apps/kube-system/generic-device-plugin/app/helmrelease.yaml b/kubernetes/apps/kube-system/generic-device-plugin/app/helmrelease.yaml
@@ -27,35 +27,34 @@ spec:
   values:
     defaultPodOptions:
       priorityClassName: system-node-critical
-      tolerations:
-        - operator: "Exists"
-          effect: "NoExecute"
-        - operator: "Exists"
-          effect: "NoSchedule"
     controllers:
       generic-device-plugin:
+        type: daemonset
+        strategy: RollingUpdate
+        annotations:
+          reloader.stakater.com/auto: "true"
         containers:
           generic-device-plugin:
             image:
               repository: ghcr.io/squat/generic-device-plugin
-              tag: 36bfc606bba2064de6ede0ff2764cbb52edff70d@sha256:ba6f0b4cf6c858d6ad29ba4d32e4da11638abbc7d96436bf04f582a97b2b8821
+              tag: latest@sha256:ba6f0b4cf6c858d6ad29ba4d32e4da11638abbc7d96436bf04f582a97b2b8821
             args:
-              - --domain
-              - kernel.org
-              - --device
-              - |
-                name: tun
-                groups:
-                  - count: 1000
-                    paths:
-                      - path: /dev/net/tun
+              - --config=/config/config.yaml
             ports:
               - containerPort: 8080
                 name: http
             securityContext:
-              privileged: true
+              allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
     persistence:
+      config:
+        type: configMap
+        name: generic-device-plugin-configmap
+        globalMounts:
+          - path: /config/config.yaml
+            subPath: config.yaml
+            readOnly: true
       dev:
         type: hostPath
         hostPath: /dev

diff --git a/kubernetes/apps/kube-system/generic-device-plugin/app/kustomization.yaml b/kubernetes/apps/kube-system/generic-device-plugin/app/kustomization.yaml
@@ -4,3 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./helmrelease.yaml
+configMapGenerator:
+  - name: generic-device-plugin-configmap
+    files:
+      - ./configs/config.yaml
+generatorOptions:
+  disableNameSuffixHash: true