Support SecondaryNetwork of SR-IOV type for VM Nodes #6881
Conversation
| - name: host-pod-resources | ||
| mountPath: /var/lib/kubelet/pod-resources |
There was a problem hiding this comment.
I see that Multus mounts all of /var/lib/kubelet, but they probably need more things than we do:
Would you see any reason to also set mountPropagation here?
There was a problem hiding this comment.
Multus mounts /var/lib/kubelet perhaps because it fallbacks to reading checkpoint file /var/lib/kubelet/device-plugins/kubelet_internal_checkpoint when the pod-resources socket doesn't exist: https://github.com/k8snetworkplumbingwg/multus-cni/blob/fba1fea81e0d4040244badf9d8c8e0eaddc717e8/pkg/kubeletclient/kubeletclient.go#L65-L73.
At the moment I'm not sure if it's necessary to mount the checkpoint file, but even if it's necessary, it doesn't seem reasonable to mount the whole directory as there are senstive data in it, like kubelet's TLS cert and key.
I'll check whether there could be a situation that the socket doesn't exist.
I think we shouldn't set mountPropagation like Multus, because the default one is None, meaning the volume in a container will not receive new mounts from the host or other containers, and filesystems mounted inside the container won't be propagated to the host or other containers, which is exactly what we want as we only need to access the socket. I don't know why Multus needs the DaemonSet Pod to receive new mounts from the host, the PR k8snetworkplumbingwg/multus-cni#1300 that added it wasn't very clear.
There was a problem hiding this comment.
Checked kubelet code, the socket will always be opened, there should be no need to fallback to checkpoint file.
luolanzone
added
the
area/secondary-network
tnqn
force-pushed
the
sr-iov
branch
2 times, most recently
from
4412c05 to
9445466
Compare
VM Nodes don't have access to Physical Function, the patch removes the code that checks whether the Physical Function exists or not, which is not really necessary. It also fixes two issues: 1. The usage of grpc.NewClient was wrong. 2. The kubelet socket was not accessible in the Pod. Signed-off-by: Quan Tian <[email protected]>
tnqn
force-pushed
the
sr-iov
branch
3 times, most recently
from
8c65744 to
57ba2b6
Compare
|
/test-all |
tnqn
added
kind/bug
VM Nodes don't have access to Physical Function, the patch removes the code that checks whether the Physical Function exists or not, which is not really necessary.
It also fixes two issues:
TODO:
The directory only contains a socket that provides read-only APIs for exposing resource allocation details of Pods. Multus thick mode also mounts the directory unconditionally.