Merge pull request #4345 from vigh-m/neuron-poc-bob

Add support for kubernetes device-ownership-from-security-context

Release.toml

@@ -1,4 +1,4 @@
-version = "1.29.0"
+version = "1.30.0"
 
 [migrations]
 "(0.3.1, 0.3.2)" = ["migrate_v0.3.2_admin-container-v0-5-0.lz4"]
@@ -380,3 +380,7 @@ version = "1.29.0"
     "migrate_v1.28.0_public-control-container-v0-7-18.lz4",
 ]
 "(1.28.0, 1.29.0)" = []
+"(1.29.0, 1.30.0)" = [
+    "migrate_v1.30.0_kubernetes-device-ownership-metadata.lz4",
+    "migrate_v1.30.0_kubernetes-device-ownership-settings.lz4"
+]

Twoliter.toml

@@ -1,5 +1,5 @@
 schema-version = 1
-release-version = "1.29.0"
+release-version = "1.30.0"
 
 [vendor.bottlerocket]
 registry = "public.ecr.aws/bottlerocket"

sources/Cargo.toml

@@ -71,6 +71,8 @@ members = [
     "settings-migrations/v1.28.0/public-admin-container-v0-11-14",
     "settings-migrations/v1.28.0/aws-control-container-v0-7-18",
     "settings-migrations/v1.28.0/public-control-container-v0-7-18",
+    "settings-migrations/v1.30.0/kubernetes-device-ownership-settings",
+    "settings-migrations/v1.30.0/kubernetes-device-ownership-metadata",
 
     "settings-plugins/aws-dev",
     "settings-plugins/aws-ecs-1",
@@ -147,22 +149,22 @@ version = "0.1.0"
 
 [workspace.dependencies.bottlerocket-modeled-types]
 git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk"
-tag = "bottlerocket-settings-models-v0.6.0"
-version = "0.6.0"
+tag = "bottlerocket-settings-models-v0.7.0"
+version = "0.7.0"
 
 [workspace.dependencies.bottlerocket-settings-models]
 git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk"
-tag = "bottlerocket-settings-models-v0.6.0"
-version = "0.6.0"
+tag = "bottlerocket-settings-models-v0.7.0"
+version = "0.7.0"
 
 [workspace.dependencies.bottlerocket-settings-plugin]
 git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk"
-tag = "bottlerocket-settings-plugin-v0.1.0"
+tag = "bottlerocket-settings-models-v0.7.0"
 version = "0.1.0"
 
 [workspace.dependencies.settings-extension-oci-defaults]
 git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk"
-tag = "bottlerocket-settings-models-v0.6.0"
+tag = "bottlerocket-settings-models-v0.7.0"
 version = "0.1.0"
 
 [profile.release]

sources/settings-defaults/aws-k8s-1.24-nvidia/defaults.d/55-kubernetes-device-ownership-default-false.toml

@@ -0,0 +1 @@
+../../../shared-defaults/kubernetes-device-ownership-default-false.toml

sources/settings-defaults/aws-k8s-1.24/defaults.d/55-kubernetes-device-ownership-default-false.toml

@@ -0,0 +1 @@
+../../../shared-defaults/kubernetes-device-ownership-default-false.toml

sources/settings-defaults/aws-k8s-1.25-nvidia/defaults.d/55-kubernetes-device-ownership-default-false.toml

@@ -0,0 +1 @@
+../../../shared-defaults/kubernetes-device-ownership-default-false.toml

sources/settings-defaults/aws-k8s-1.25/defaults.d/55-kubernetes-device-ownership-default-false.toml

@@ -0,0 +1 @@
+../../../shared-defaults/kubernetes-device-ownership-default-false.toml

sources/settings-defaults/aws-k8s-1.26-nvidia/defaults.d/55-kubernetes-device-ownership-default-false.toml

@@ -0,0 +1 @@
+../../../shared-defaults/kubernetes-device-ownership-default-false.toml

sources/settings-defaults/aws-k8s-1.26/defaults.d/55-kubernetes-device-ownership-default-false.toml

@@ -0,0 +1 @@
+../../../shared-defaults/kubernetes-device-ownership-default-false.toml

sources/settings-defaults/aws-k8s-1.31-nvidia/defaults.d/55-kubernetes-device-ownership-default-false.toml

@@ -0,0 +1 @@
+../../../shared-defaults/kubernetes-device-ownership-default-false.toml

sources/settings-defaults/aws-k8s-1.31/defaults.d/55-kubernetes-device-ownership-default-false.toml

@@ -0,0 +1 @@
+../../../shared-defaults/kubernetes-device-ownership-default-false.toml

sources/settings-defaults/metal-k8s-1.30/defaults.d/55-kubernetes-device-ownership-default-false.toml

@@ -0,0 +1 @@
+../../../shared-defaults/kubernetes-device-ownership-default-false.toml

sources/settings-defaults/vmware-k8s-1.31/defaults.d/55-kubernetes-device-ownership-default-false.toml

@@ -0,0 +1 @@
+../../../shared-defaults/kubernetes-device-ownership-default-false.toml

sources/settings-migrations/v1.30.0/kubernetes-device-ownership-metadata/Cargo.toml

@@ -0,0 +1,15 @@
+[package]
+name = "kubernetes-device-ownership-metadata"
+version = "0.1.0"
+authors = ["Vighnesh Maheshwari <vighmah@amazon.com>"]
+license = "Apache-2.0 OR MIT"
+edition = "2021"
+publish = false
+# Don't rebuild crate just because of changes to README.
+exclude = ["README.md"]
+
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+migration-helpers.workspace = true

sources/settings-migrations/v1.30.0/kubernetes-device-ownership-metadata/src/main.rs

@@ -0,0 +1,21 @@
+use migration_helpers::common_migrations::AddSettingsMigration;
+use migration_helpers::{migrate, Result};
+use std::process;
+
+///  We added a new setting, `settings.kubernetes.device-ownership-from-security-context` to allow containers to gain
+/// ownership of the requested device
+fn run() -> Result<()> {
+    migrate(AddSettingsMigration(&[
+        "settings.kubernetes.device-ownership-from-security-context",
+    ]))
+}
+
+// Returning a Result from main makes it print a Debug representation of the error, but with Snafu
+// we have nice Display representations of the error, so we wrap "main" (run) and print any error.
+// https://github.com/shepmaster/snafu/issues/110
+fn main() {
+    if let Err(e) = run() {
+        eprintln!("{}", e);
+        process::exit(1);
+    }
+}

sources/settings-migrations/v1.30.0/kubernetes-device-ownership-settings/Cargo.toml

@@ -0,0 +1,15 @@
+[package]
+name = "kubernetes-device-ownership-settings"
+version = "0.1.0"
+authors = ["Vighnesh Maheshwari <vighmah@amazon.com>"]
+license = "Apache-2.0 OR MIT"
+edition = "2021"
+publish = false
+# Don't rebuild crate just because of changes to README.
+exclude = ["README.md"]
+
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+migration-helpers.workspace = true

sources/settings-migrations/v1.30.0/kubernetes-device-ownership-settings/src/main.rs

@@ -0,0 +1,22 @@
+use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata};
+use migration_helpers::{migrate, Result};
+use std::process;
+
+///  We added a new setting, `settings.kubernetes.device-ownership-from-security-context` to allow containers to gain
+/// ownership of the requested device
+fn run() -> Result<()> {
+    migrate(AddMetadataMigration(&[SettingMetadata {
+        metadata: &["affected-services"],
+        setting: "settings.kubernetes.device-ownership-from-security-context",
+    }]))
+}
+
+// Returning a Result from main makes it print a Debug representation of the error, but with Snafu
+// we have nice Display representations of the error, so we wrap "main" (run) and print any error.
+// https://github.com/shepmaster/snafu/issues/110
+fn main() {
+    if let Err(e) = run() {
+        eprintln!("{}", e);
+        process::exit(1);
+    }
+}

sources/shared-defaults/kubernetes-device-ownership-default-false.toml

@@ -0,0 +1,5 @@
+[settings.kubernetes]
+device-ownership-from-security-context = false
+
+[metadata.settings.kubernetes.device-ownership-from-security-context]
+affected-services = ["containerd"]