Add support for Bottlerocket on Neuron instance types (aws#7722)

vigh-m · rschalo · commit d207a72b68ea · 2025-02-26T19:24:54.000-08:00
diff --git a/pkg/controllers/nodeclass/ami_test.go b/pkg/controllers/nodeclass/ami_test.go
@@ -311,7 +311,7 @@ var _ = Describe("NodeClass AMI Status Controller", func() {
 			ExpectObjectReconciled(ctx, env.Client, controller, nodeClass)
 			nodeClass = ExpectExists(ctx, env.Client, nodeClass)
 
-			Expect(len(nodeClass.Status.AMIs)).To(Equal(4))
+			Expect(len(nodeClass.Status.AMIs)).To(Equal(5))
 			Expect(nodeClass.Status.AMIs).To(ContainElements([]v1.AMI{
 				{
 					Name: "amd64-standard",
@@ -351,6 +351,22 @@ var _ = Describe("NodeClass AMI Status Controller", func() {
 						},
 					},
 				},
+				// Note: Bottlerocket uses the same AMI for standard and neuron
+				{
+					Name: "amd64-standard",
+					ID:   "ami-amd64-standard",
+					Requirements: []corev1.NodeSelectorRequirement{
+						{
+							Key:      corev1.LabelArchStable,
+							Operator: corev1.NodeSelectorOpIn,
+							Values:   []string{karpv1.ArchitectureAmd64},
+						},
+						{
+							Key:      v1.LabelInstanceAcceleratorCount,
+							Operator: corev1.NodeSelectorOpExists,
+						},
+					},
+				},
 				{
 					Name: "amd64-nvidia",
 					ID:   "ami-amd64-nvidia",
@@ -468,7 +484,7 @@ var _ = Describe("NodeClass AMI Status Controller", func() {
 		ExpectObjectReconciled(ctx, env.Client, controller, nodeClass)
 		nodeClass = ExpectExists(ctx, env.Client, nodeClass)
 
-		Expect(len(nodeClass.Status.AMIs)).To(Equal(2))
+		Expect(len(nodeClass.Status.AMIs)).To(Equal(3))
 		Expect(nodeClass.Status.AMIs).To(ContainElements([]v1.AMI{
 			{
 				Name: "arm64-standard",
diff --git a/pkg/providers/amifamily/bootstrap/bottlerocketsettings.go b/pkg/providers/amifamily/bootstrap/bottlerocketsettings.go
@@ -79,6 +79,7 @@ type BottlerocketKubernetes struct {
 	ClusterDomain                      *string                                   `toml:"cluster-domain,omitempty"`
 	SeccompDefault                     *bool                                     `toml:"seccomp-default,omitempty"`
 	PodPidsLimit                       *int                                      `toml:"pod-pids-limit,omitempty"`
+	DeviceOwnershipFromSecurityContext *bool                                     `toml:"device-ownership-from-security-context,omitempty"`
 }
 
 type BottlerocketStaticPod struct {
diff --git a/pkg/providers/amifamily/bottlerocket.go b/pkg/providers/amifamily/bottlerocket.go
@@ -44,7 +44,7 @@ func (b Bottlerocket) DescribeImageQuery(ctx context.Context, ssmProvider ssm.Pr
 	trimmedAMIVersion := strings.TrimLeft(amiVersion, "v")
 	ids := map[string][]Variant{}
 	for path, variants := range map[string][]Variant{
-		fmt.Sprintf("/aws/service/bottlerocket/aws-k8s-%s/x86_64/%s/image_id", k8sVersion, trimmedAMIVersion):        {VariantStandard},
+		fmt.Sprintf("/aws/service/bottlerocket/aws-k8s-%s/x86_64/%s/image_id", k8sVersion, trimmedAMIVersion):        {VariantStandard, VariantNeuron},
 		fmt.Sprintf("/aws/service/bottlerocket/aws-k8s-%s/arm64/%s/image_id", k8sVersion, trimmedAMIVersion):         {VariantStandard},
 		fmt.Sprintf("/aws/service/bottlerocket/aws-k8s-%s-nvidia/x86_64/%s/image_id", k8sVersion, trimmedAMIVersion): {VariantNvidia},
 		fmt.Sprintf("/aws/service/bottlerocket/aws-k8s-%s-nvidia/arm64/%s/image_id", k8sVersion, trimmedAMIVersion):  {VariantNvidia},
diff --git a/pkg/providers/amifamily/suite_test.go b/pkg/providers/amifamily/suite_test.go
@@ -169,7 +169,7 @@ var _ = Describe("AMIProvider", func() {
 		}
 		amis, err := awsEnv.AMIProvider.List(ctx, nodeClass)
 		Expect(err).ToNot(HaveOccurred())
-		Expect(amis).To(HaveLen(4))
+		Expect(amis).To(HaveLen(5))
 	})
 	It("should succeed to resolve AMIs (Windows2019)", func() {
 		nodeClass.Spec.AMISelectorTerms = []v1.AMISelectorTerm{{Alias: "windows2019@latest"}}
@@ -304,7 +304,7 @@ var _ = Describe("AMIProvider", func() {
 			// Only 4 of the requirements sets for the SSM aliases will resolve
 			amis, err := awsEnv.AMIProvider.List(ctx, nodeClass)
 			Expect(err).ToNot(HaveOccurred())
-			Expect(amis).To(HaveLen(3))
+			Expect(amis).To(HaveLen(4))
 		})
 	})
 	Context("AMI Tag Requirements", func() {
diff --git a/website/content/en/preview/concepts/nodeclasses.md b/website/content/en/preview/concepts/nodeclasses.md
@@ -1353,6 +1353,20 @@ cluster-name = 'cluster'
 'memory.available' = '12%%'
 ```
 
+#### Device ownership in Bottlerocket
+
+Bottlerocket `v1.30.0+` supports device ownership using the [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) provided in the Kubernetes specfile. To enable this, you will need the following user-data configurations:
+
+```toml
+[settings]
+[settings.kubernetes]
+device-ownership-from-security-context = true
+```
+
+This allows the container to take ownership of devices allocated to the pod via device-plugins based on the `runAsUser` and `runAsGroup` values provided in the spec. For more details on this, see the [Kubernetes documentation](https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/)
+
+This setting helps you enable Neuron workloads on Bottlerocket instances. See [Accelerators/GPU Resources]({{< ref "./scheduling#acceleratorsgpu-resources" >}}) for more details.
+
 ### Windows2019/Windows2022
 
 * Your UserData must be specified as PowerShell commands.

Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,7 @@ type BottlerocketKubernetes struct {`
`79`	`79`	ClusterDomain *string `toml:"cluster-domain,omitempty"`
`80`	`80`	SeccompDefault *bool `toml:"seccomp-default,omitempty"`
`81`	`81`	PodPidsLimit *int `toml:"pod-pids-limit,omitempty"`
	`82`	+ DeviceOwnershipFromSecurityContext *bool `toml:"device-ownership-from-security-context,omitempty"`
`82`	`83`	`}`
`83`	`84`
`84`	`85`	`type BottlerocketStaticPod struct {`