Skip to content

Commit 315bb6e

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #238 from kannon92/add-read-only-root-filesystem
OCPNODE-3169: Kueue operand should use readOnlyRootFilesystem
2 parents 5feb40c + 55c6842 commit 315bb6e

File tree

3 files changed

+14
-2
lines changed

3 files changed

+14
-2
lines changed

pkg/configmap/configmap.go

+5-2
Original file line numberDiff line numberDiff line change
@@ -170,10 +170,13 @@ func defaultKueueConfigurationTemplate(kueueCfg kueue.KueueConfiguration) *confi
170170
InternalCertManagement: &configapi.InternalCertManagement{
171171
Enable: ptr.To(false),
172172
},
173-
// Disable the HierarchicalCohorts feature gate by default.
174-
// related to https://github.com/kubernetes-sigs/kueue/issues/4869
175173
FeatureGates: map[string]bool{
174+
// Disable the HierarchicalCohorts feature gate by default.
175+
// related to https://github.com/kubernetes-sigs/kueue/issues/4869
176176
"HierarchialCohorts": false,
177+
// Disable visibilityOnDemand
178+
// apiserver is insecure.
179+
"VisibilityOnDemand": false,
177180
},
178181
ManageJobsWithoutQueueName: buildManagedJobsWithoutQueueName(kueueCfg.WorkloadManagement),
179182
WaitForPodsReady: buildWaitForPodsReady(kueueCfg.GangScheduling),

pkg/configmap/configmap_test.go

+5
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@ fairSharing:
5353
enable: false
5454
featureGates:
5555
HierarchialCohorts: false
56+
VisibilityOnDemand: false
5657
health:
5758
healthProbeBindAddress: :8081
5859
integrations:
@@ -109,6 +110,7 @@ fairSharing:
109110
enable: false
110111
featureGates:
111112
HierarchialCohorts: false
113+
VisibilityOnDemand: false
112114
health:
113115
healthProbeBindAddress: :8081
114116
integrations:
@@ -168,6 +170,7 @@ fairSharing:
168170
- LessThanInitialShare
169171
featureGates:
170172
HierarchialCohorts: false
173+
VisibilityOnDemand: false
171174
health:
172175
healthProbeBindAddress: :8081
173176
integrations:
@@ -218,6 +221,7 @@ fairSharing:
218221
enable: false
219222
featureGates:
220223
HierarchialCohorts: false
224+
VisibilityOnDemand: false
221225
health:
222226
healthProbeBindAddress: :8081
223227
integrations:
@@ -277,6 +281,7 @@ fairSharing:
277281
enable: false
278282
featureGates:
279283
HierarchialCohorts: false
284+
VisibilityOnDemand: false
280285
health:
281286
healthProbeBindAddress: :8081
282287
integrations:

pkg/operator/target_config_reconciler.go

+4
Original file line numberDiff line numberDiff line change
@@ -880,6 +880,10 @@ func (c *TargetConfigReconciler) manageDeployment(kueueoperator *kueuev1alpha1.K
880880
required.Spec.Template.Spec.Containers[0].VolumeMounts,
881881
metricsCertVolumeMount,
882882
)
883+
884+
// add ReadOnlyRootFilesystem to Kueue deployment.
885+
// this will be fixed in upstream as of 0.12.
886+
required.Spec.Template.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true)
883887
// Add HA configuration for Kueue deployment.
884888
var replicas int32 = 2
885889
required.Spec.Replicas = ptr.To(replicas)

0 commit comments

Comments
 (0)