Merge remote-tracking branch 'upstream/master' into forked-master

Author: heyvister1

Dockerfile

@@ -5,6 +5,7 @@ RUN make _build-manager BIN_PATH=build/_output/cmd && \
     make _build-sriov-network-operator-config-cleanup BIN_PATH=build/_output/cmd
 
 FROM quay.io/centos/centos:stream9
+USER 65532:65532
 COPY --from=builder /go/src/github.com/k8snetworkplumbingwg/sriov-network-operator/build/_output/cmd/manager /usr/bin/sriov-network-operator
 COPY --from=builder /go/src/github.com/k8snetworkplumbingwg/sriov-network-operator/build/_output/cmd/sriov-network-operator-config-cleanup /usr/bin/sriov-network-operator-config-cleanup
 COPY bindata /bindata

README.md

@@ -419,6 +419,10 @@ Feature gates are used to enable or disable specific features in the operator.
   - **Description:** Enables the firmware reset via `mstfwreset` before a system reboot. This feature is specific to Mellanox network devices and is used to ensure that the firmware is properly reset during system maintenance.
   - **Default:** Disabled
 
+6. **Block Device Plugin Until Configured** (`blockDevicePluginUntilConfigured`)
+  - **Description:** Prevents the SR-IOV device plugin from starting until the sriov-config-daemon has applied the SR-IOV configuration for the node. When enabled, the device plugin daemonset runs an init container that sets a wait-for-config annotation on its pod and waits until the sriov-config-daemon removes this annotation after applying the configuration. This addresses the race condition where the device plugin starts and reports available resources before the configuration is actually applied, which can lead to pods being scheduled prematurely.
+  - **Default:** Enabled
+
 ### Enabling Feature Gates
 
 To enable a feature gate, add it to your configuration file or command line with the desired state. For example, to enable the `resourceInjectorMatchCondition` feature gate, you would specify:

bindata/manifests/daemon/daemonset.yaml

@@ -201,6 +201,8 @@ spec:
         volumeMounts:
           - name: host
             mountPath: /host
+          - name: tmp
+            mountPath: /tmp
         lifecycle:
           preStop:
             exec:
@@ -216,3 +218,5 @@ spec:
         hostPath:
           path: /etc/os-release
           type: File
+      - name: tmp
+        emptyDir: {}

bindata/manifests/operator-webhook/server.yaml

@@ -98,6 +98,12 @@ spec:
         securityContext:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             cpu: 10m

bindata/manifests/plugins/002-rbac.yaml

@@ -49,3 +49,27 @@ subjects:
   - kind: ServiceAccount
     name: sriov-device-plugin
     namespace: {{.Namespace}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: sriov-device-plugin-pod-access
+  namespace: {{.Namespace}}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: sriov-device-plugin-pod-access
+  namespace: {{.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: sriov-device-plugin-pod-access
+subjects:
+- kind: ServiceAccount
+  name: sriov-device-plugin
+  namespace: {{.Namespace}}

bindata/manifests/plugins/sriov-device-plugin.yaml

@@ -39,6 +39,14 @@ spec:
         component: network
         type: infra
         openshift.io/component: network
+        # NOTE: The controller uses equality.Semantic.DeepDerivative(in.Spec, ds.Spec)
+        # to detect changes in the DaemonSet's spec and decide if an update is needed.
+        # To ensure the init container is properly managed when toggling the
+        # BlockDevicePluginUntilConfigured feature gate, we define an explicit field
+        # (init-container-enabled) that is always present in the DaemonSet labels.
+        # Its value reflects the state of the feature gate and guarantees spec changes
+        # are propagated, ensuring the init container is added or removed as required.
+        init-container-enabled: "{{ .BlockDevicePluginUntilConfigured }}"
     spec:
       hostNetwork: true
       nodeSelector:
@@ -55,6 +63,25 @@ spec:
         - name: {{ . }}
       {{- end }}
       {{- end }}
+      {{- if .BlockDevicePluginUntilConfigured }}
+      initContainers:
+      - name: sriov-device-plugin-init
+        image: {{.SRIOVNetworkConfigDaemonImage}}
+        command:
+        - sriov-network-config-daemon
+        - wait-for-config
+        - --pod-name=$(POD_NAME)
+        - --pod-namespace=$(POD_NAMESPACE)
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+      {{- end }}
       containers:
       - name: sriov-device-plugin
         image: {{.SRIOVDevicePluginImage}}

bindata/manifests/webhook/server.yaml

@@ -101,6 +101,12 @@ spec:
         securityContext:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             cpu: 10m

cmd/sriov-network-config-daemon/start.go

@@ -185,7 +185,7 @@ func initFeatureGates(defaultConfig *sriovnetworkv1.SriovOperatorConfig) (featur
 	featureGates := featuregate.New()
 	featureGates.Init(defaultConfig.Spec.FeatureGates)
 	fnLogger.Info("Enabled featureGates", "featureGates", featureGates.String())
-
+	vars.FeatureGate = featureGates
 	return featureGates, nil
 }
 

cmd/sriov-network-config-daemon/waitforconfig.go

@@ -0,0 +1,206 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package main
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/go-logr/logr"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/rest"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+
+	"github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/consts"
+	snolog "github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/log"
+	"github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/utils"
+)
+
+var (
+	waitForConfigCmd = &cobra.Command{
+		Use:   "wait-for-config",
+		Short: "Wait for SR-IOV configuration to be applied",
+		Long: "Init container command that sets annotation on pod and waits for " +
+			"sriov-config-daemon to apply configuration and remove the annotation",
+		RunE: runWaitForConfigCmd,
+	}
+
+	waitForConfigOpts struct {
+		podName      string
+		podNamespace string
+	}
+)
+
+func init() {
+	rootCmd.AddCommand(waitForConfigCmd)
+	waitForConfigCmd.PersistentFlags().StringVar(&waitForConfigOpts.podName, "pod-name", "",
+		"kubernetes pod name of the device plugin")
+	waitForConfigCmd.PersistentFlags().StringVar(&waitForConfigOpts.podNamespace, "pod-namespace", "",
+		"kubernetes namespace where the device plugin pod is running")
+}
+
+type WaitForConfigReconciler struct {
+	client.Client
+	Pod    types.NamespacedName
+	Cancel context.CancelFunc
+}
+
+func (r *WaitForConfigReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	logger := log.FromContext(ctx)
+
+	// This check is currently redundant since the cache is configured to watch only the target pod object.
+	// However, it is intentionally included to document this assumption and to provide a safeguard in case
+	// the cache configuration is modified in the future to watch additional pods.
+	if r.Pod != req.NamespacedName {
+		return ctrl.Result{}, nil
+	}
+
+	pod := &corev1.Pod{}
+	if err := r.Get(ctx, req.NamespacedName, pod); err != nil {
+		logger.Error(err, "Failed to get pod")
+		return ctrl.Result{}, client.IgnoreNotFound(err)
+	}
+
+	if !utils.ObjectHasAnnotationKey(pod, consts.DevicePluginWaitConfigAnnotation) {
+		logger.Info("Annotation removed, device plugin can proceed")
+		r.Cancel()
+		return ctrl.Result{}, nil
+	}
+
+	logger.Info("Annotation still present, waiting...")
+	return ctrl.Result{RequeueAfter: consts.DaemonRequeueTime}, nil
+}
+
+func (r *WaitForConfigReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&corev1.Pod{}).
+		Complete(r)
+}
+
+func validateWaitForConfigOpts() error {
+	if waitForConfigOpts.podName == "" {
+		return fmt.Errorf("--pod-name is required")
+	}
+	if waitForConfigOpts.podNamespace == "" {
+		return fmt.Errorf("--pod-namespace is required")
+	}
+	return nil
+}
+
+func runWaitForConfigCmd(cmd *cobra.Command, args []string) error {
+	snolog.InitLog()
+	setupLog := log.Log.WithName("wait-for-config")
+
+	if err := validateWaitForConfigOpts(); err != nil {
+		setupLog.Error(err, "invalid command line arguments")
+		return err
+	}
+
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		setupLog.Error(err, "failed to get in-cluster config")
+		return err
+	}
+
+	return startWaitForConfigManager(setupLog, config, types.NamespacedName{Name: waitForConfigOpts.podName, Namespace: waitForConfigOpts.podNamespace})
+}
+
+func startWaitForConfigManager(setupLog logr.Logger, config *rest.Config, podName types.NamespacedName) error {
+	ctx, cancel := context.WithCancel(ctrl.SetupSignalHandler())
+	defer cancel()
+
+	setupLog.Info("Starting wait-for-config", "pod", podName)
+
+	// Create a temporary client to set the annotation immediately
+	tempClient, err := client.New(config, client.Options{})
+	if err != nil {
+		setupLog.Error(err, "failed to create kubernetes client")
+		return err
+	}
+
+	// Set annotation on pod to signal that we are waiting for config
+	setupLog.Info("Setting annotation on pod", "annotation", consts.DevicePluginWaitConfigAnnotation)
+	err = setAnnotationOnPod(ctx, setupLog, tempClient, podName)
+	if err != nil {
+		setupLog.Error(err, "failed to set annotation on pod")
+		return err
+	}
+	setupLog.Info("Annotation set successfully, waiting for removal")
+
+	// Configure Manager
+	// Watch only specific pod object
+	selector := fields.SelectorFromSet(fields.Set{"metadata.name": podName.Name})
+	mgr, err := ctrl.NewManager(config, ctrl.Options{
+		Metrics: metricsserver.Options{BindAddress: "0"},
+		Cache: cache.Options{
+			DefaultNamespaces: map[string]cache.Config{podName.Namespace: {}},
+			ByObject: map[client.Object]cache.ByObject{
+				&corev1.Pod{}: {Field: selector},
+			},
+		},
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		return err
+	}
+
+	if err = (&WaitForConfigReconciler{
+		Client: mgr.GetClient(),
+		Pod:    podName,
+		Cancel: cancel,
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller")
+		return err
+	}
+
+	setupLog.Info("Starting manager")
+	if err := mgr.Start(ctx); err != nil {
+		setupLog.Error(err, "problem running manager")
+		return err
+	}
+	return nil
+}
+
+// setAnnotationOnPod sets the wait-for-config annotation on the pod
+func setAnnotationOnPod(ctx context.Context, logger logr.Logger, c client.Client, podName types.NamespacedName) error {
+	return wait.ExponentialBackoff(wait.Backoff{
+		Steps:    10,
+		Duration: 1 * time.Second,
+		Factor:   2.0,
+		Jitter:   0.1,
+		Cap:      30 * time.Second,
+	}, func() (bool, error) {
+		pod := &corev1.Pod{}
+		if err := c.Get(ctx, podName, pod); err != nil {
+			logger.Error(err, "failed to get pod, retrying")
+			return false, nil
+		}
+		if err := utils.AnnotateObject(ctx, pod, consts.DevicePluginWaitConfigAnnotation, "true", c); err != nil {
+			logger.Error(err, "failed to annotate pod, retrying")
+			return false, nil
+		}
+		return true, nil
+	})
+}