-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathvalues.yaml
More file actions
89 lines (81 loc) · 2.54 KB
/
Copy pathvalues.yaml
File metadata and controls
89 lines (81 loc) · 2.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
## Default values mirror HAMi device-plugin hook layout (HOOK_PATH=/usr/local → /usr/local/vgpu on host).
nameOverride: ""
fullnameOverride: ""
namespaceOverride: ""
global:
imageRegistry: ""
imagePullSecrets: []
image:
registry: docker.io
repository: projecthami/kai-resource-isolator
tag: latest
pullPolicy: IfNotPresent
## Optional: override per-GPU VRAM (MiB) instead of node-label autodetect.
## Leave empty to autodetect from the nvidia.com/gpu.memory node label.
perGpuVramMiB: ""
paths:
## Host directory base; the chart installs libraries under {hostInstallBase}/vgpu/
hostInstallBase: /usr/local
## Path inside the container and on the host (same absolute path is required for ld.so.preload and device-plugin compatibility)
containerVgpuMount: /usr/local/vgpu
librarySync:
## Node labels for GPU nodes (empty = all nodes; set e.g.
## nvidia.com/gpu.present: "true" to sync libvgpu only to GPU nodes).
nodeSelector: {}
tolerations:
- operator: Exists
effect: NoSchedule
resources: {}
priorityClassName: system-node-critical
podLabels: {}
podAnnotations: {}
webhook:
replicaCount: 1
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
memory: 128Mi
nodeSelector: {}
tolerations: []
podLabels: {}
podAnnotations: {}
## Comma-separated extended resources that trigger injection (HAMi vGPU sharing)
gpuShareResources: "nvidia.com/gpu,nvidia.com/gpumem,nvidia.com/gpucores"
failurePolicy: Ignore
## NVIDIA_VISIBLE_DEVICES env-bypass guard: off | audit | enforce.
## audit (default) logs unauthorized GPU-runtime pods without mutating — observe
## logs to confirm no system pods are flagged, then switch to enforce.
nvidiaVisibleDevicesGuard: "audit"
## Optional: override trusted namespaces (comma-separated). Empty = built-in
## default (gpu-operator,kube-system,kai-scheduler,kai-resource-reservation,nvidia-network-operator).
guardAllowedNamespaces: ""
tls:
## When cert-manager is enabled, set patch.enabled to false.
certManager:
enabled: false
createSelfSignedClusterIssuer: true
issuerRef:
kind: ClusterIssuer
name: selfsigned
patch:
enabled: true
image:
registry: docker.io
repository: jettech/kube-webhook-certgen
tag: v1.5.2
pullPolicy: IfNotPresent
imageNew:
registry: docker.io
repository: liangjw/kube-webhook-certgen
tag: v1.1.1
pullPolicy: IfNotPresent
runAsUser: 2000
nodeSelector: {}
tolerations: []
service:
type: ClusterIP
port: 443
rbac:
create: true