From d30d15900ba150076ad3c5ad0f8de8a1fbfc8147 Mon Sep 17 00:00:00 2001 From: Christopher Desiniotis Date: Mon, 18 Aug 2025 15:16:35 -0700 Subject: [PATCH] Always use dedicated service account in device-plugin helm chart Signed-off-by: Christopher Desiniotis --- .../nvidia-device-plugin/templates/daemonset-device-plugin.yml | 3 --- .../helm/nvidia-device-plugin/templates/daemonset-gfd.yml | 3 --- .../templates/daemonset-mps-control-daemon.yml | 2 -- .../helm/nvidia-device-plugin/templates/role-binding.yml | 3 --- deployments/helm/nvidia-device-plugin/templates/role.yml | 3 --- .../helm/nvidia-device-plugin/templates/service-account.yml | 3 --- 6 files changed, 17 deletions(-) diff --git a/deployments/helm/nvidia-device-plugin/templates/daemonset-device-plugin.yml b/deployments/helm/nvidia-device-plugin/templates/daemonset-device-plugin.yml index 6cfa5042b..fcd3355a2 100644 --- a/deployments/helm/nvidia-device-plugin/templates/daemonset-device-plugin.yml +++ b/deployments/helm/nvidia-device-plugin/templates/daemonset-device-plugin.yml @@ -15,7 +15,6 @@ {{- if .Values.devicePlugin.enabled }} --- {{- $options := (include "nvidia-device-plugin.options" . | fromJson) }} -{{- $useServiceAccount := $options.hasConfigMap }} {{- $configMapName := (include "nvidia-device-plugin.configMapName" .) | trim }} {{- $daemonsetName := printf "%s" (include "nvidia-device-plugin.fullname" .) | trunc 63 | trimSuffix "-" }} apiVersion: apps/v1 @@ -52,9 +51,7 @@ spec: {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if $useServiceAccount }} serviceAccountName: {{ include "nvidia-device-plugin.fullname" . }}-service-account - {{- end }} {{- if $options.hasConfigMap }} shareProcessNamespace: true initContainers: diff --git a/deployments/helm/nvidia-device-plugin/templates/daemonset-gfd.yml b/deployments/helm/nvidia-device-plugin/templates/daemonset-gfd.yml index 09f9dfe39..cde4835b9 100644 --- a/deployments/helm/nvidia-device-plugin/templates/daemonset-gfd.yml +++ b/deployments/helm/nvidia-device-plugin/templates/daemonset-gfd.yml @@ -15,7 +15,6 @@ {{- if .Values.gfd.enabled }} --- {{- $options := (include "nvidia-device-plugin.options" . | fromJson) }} -{{- $useServiceAccount := or ( $options.hasConfigMap ) ( and .Values.gfd.enabled .Values.nfd.enableNodeFeatureApi ) }} {{- $configMapName := (include "nvidia-device-plugin.configMapName" .) | trim }} {{- $daemonsetName := printf "%s-gpu-feature-discovery" (include "nvidia-device-plugin.fullname" .) | trunc 63 | trimSuffix "-" }} apiVersion: apps/v1 @@ -52,9 +51,7 @@ spec: {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if $useServiceAccount }} serviceAccountName: {{ include "nvidia-device-plugin.fullname" . }}-service-account - {{- end }} {{- if $options.hasConfigMap }} shareProcessNamespace: true {{- end }} diff --git a/deployments/helm/nvidia-device-plugin/templates/daemonset-mps-control-daemon.yml b/deployments/helm/nvidia-device-plugin/templates/daemonset-mps-control-daemon.yml index da37aba6d..f7174e188 100644 --- a/deployments/helm/nvidia-device-plugin/templates/daemonset-mps-control-daemon.yml +++ b/deployments/helm/nvidia-device-plugin/templates/daemonset-mps-control-daemon.yml @@ -50,12 +50,10 @@ spec: {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if $options.hasConfigMap }} serviceAccountName: {{ include "nvidia-device-plugin.fullname" . }}-service-account {{- if not .Values.mps.enableHostPID }} shareProcessNamespace: true {{- end }} - {{- end }} {{- if .Values.mps.enableHostPID }} hostPID: true {{- end }} diff --git a/deployments/helm/nvidia-device-plugin/templates/role-binding.yml b/deployments/helm/nvidia-device-plugin/templates/role-binding.yml index 9232b1ed3..667e8b57c 100644 --- a/deployments/helm/nvidia-device-plugin/templates/role-binding.yml +++ b/deployments/helm/nvidia-device-plugin/templates/role-binding.yml @@ -1,6 +1,4 @@ --- -{{- $options := (include "nvidia-device-plugin.options" . | fromJson) }} -{{- if or $options.hasConfigMap ( and .Values.gfd.enabled .Values.nfd.enableNodeFeatureApi ) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -15,4 +13,3 @@ roleRef: kind: ClusterRole name: {{ include "nvidia-device-plugin.fullname" . }}-role apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/deployments/helm/nvidia-device-plugin/templates/role.yml b/deployments/helm/nvidia-device-plugin/templates/role.yml index c2ecb803a..0a3f6680c 100644 --- a/deployments/helm/nvidia-device-plugin/templates/role.yml +++ b/deployments/helm/nvidia-device-plugin/templates/role.yml @@ -1,6 +1,4 @@ --- -{{- $options := (include "nvidia-device-plugin.options" . | fromJson) }} -{{- if or $options.hasConfigMap ( and .Values.gfd.enabled .Values.nfd.enableNodeFeatureApi ) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -16,4 +14,3 @@ rules: resources: ["nodefeatures"] verbs: ["get", "list", "watch", "create", "update"] {{- end }} -{{- end }} diff --git a/deployments/helm/nvidia-device-plugin/templates/service-account.yml b/deployments/helm/nvidia-device-plugin/templates/service-account.yml index 7ab9ba336..514354339 100644 --- a/deployments/helm/nvidia-device-plugin/templates/service-account.yml +++ b/deployments/helm/nvidia-device-plugin/templates/service-account.yml @@ -1,6 +1,4 @@ --- -{{- $options := (include "nvidia-device-plugin.options" . | fromJson) }} -{{- if or $options.hasConfigMap ( and .Values.gfd.enabled .Values.nfd.enableNodeFeatureApi ) }} apiVersion: v1 kind: ServiceAccount metadata: @@ -8,4 +6,3 @@ metadata: namespace: {{ include "nvidia-device-plugin.namespace" . }} labels: {{- include "nvidia-device-plugin.labels" . | nindent 4 }} -{{- end }}