Merge pull request #1392 from mythi/PR-2023-019

sgx: stop using local source hooks for EPC registration

Author: hj-johannes-lee

cmd/operator/README.md

@@ -23,14 +23,12 @@ The default operator deployment depends on NFD and cert-manager. Those component
 
 ### NFD
 
-Install NFD (if it's not already installed) and node labelling rules (requires NFD v0.10+):
+Install NFD (if it's not already installed) and node labelling rules (requires NFD v0.13+):
 
 ```
-# either with default NFD installation
+# deploy NFD
 $ kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd?ref=<RELEASE_VERSION>'
-# or when setting up with SGX
-$ kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/sgx?ref=<RELEASE_VERSION>'
-# and finally, NodeFeatureRules
+# deploy NodeFeatureRules
 $ kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/node-feature-rules?ref=<RELEASE_VERSION>'
 ```
 Make sure both NFD master and worker pods are running:

cmd/sgx_plugin/README.md

@@ -84,7 +84,7 @@ Where `<RELEASE_VERSION>` needs to be substituted with the desired [release tag]
 First, deploy `node-feature-discovery`:
 
 ```bash
-$ kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/sgx?ref=<RELEASE_VERSION>'
+$ kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/?ref=<RELEASE_VERSION>'
 $ kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/node-feature-rules?ref=<RELEASE_VERSION>'
 ```
 
@@ -110,13 +110,13 @@ $ kubectl apply -f 'https://raw.githubusercontent.com/intel/intel-device-plugins
 There are two alternative ways to deploy SGX device plugin using `kubectl`.
 
 The first approach involves deployment of the [SGX DaemonSet YAML](/deployments/sgx_plugin/base/intel-sgx-plugin.yaml)
-and [node-feature-discovery](/deployments/nfd/overlays/sgx/kustomization.yaml)
+and [node-feature-discovery](/deployments/nfd/kustomization.yaml)
 with the necessary configuration.
 
 The following kustomizations are needed for deploying everything:
 ```bash
 # first, deploy NFD and the necessary NodeFeatureRules
-$ kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/sgx'
+$ kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd'
 $ kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/node-feature-rules'
 # and then, deploy SGX plugin
 $ kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/sgx_plugin/overlays/epc-nfd/'
@@ -150,9 +150,9 @@ $ kubectl describe node <node name> | grep sgx.intel.com
  sgx.intel.com/enclave:    20
  sgx.intel.com/epc:        98566144
  sgx.intel.com/provision:  20
- sgx.intel.com/enclave    1           1
- sgx.intel.com/epc        400         400
- sgx.intel.com/provision  1           1
+ sgx.intel.com/enclave    0           0
+ sgx.intel.com/epc        0           0
+ sgx.intel.com/provision  0           0
 ```
 
 ## Testing and Demos

deployments/nfd/base/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
-- "https://github.com/kubernetes-sigs/node-feature-discovery/deployment/overlays/default?ref=v0.12.1"
+- "https://github.com/kubernetes-sigs/node-feature-discovery/deployment/overlays/default?ref=v0.13.1"

deployments/nfd/components/sgx/kustomization.yaml

@@ -86,14 +86,16 @@ spec:
     - name: "intel.sgx"
       labels:
         "intel.feature.node.kubernetes.io/sgx": "true"
+      extendedResources:
+        sgx.intel.com/epc: "@cpu.security.sgx.epc"
       matchFeatures:
         - feature: cpu.cpuid
           matchExpressions:
             SGX: {op: Exists}
             SGXLC: {op: Exists}
-        - feature: cpu.sgx
+        - feature: cpu.security
           matchExpressions:
-            enabled: {op: IsTrue}
+            sgx.enabled: {op: IsTrue}
         - feature: kernel.config
           matchExpressions:
             X86_SGX: {op: Exists}

deployments/nfd/components/sgx/master-args.yaml

@@ -90,6 +90,8 @@ spec:
     - name: "intel.sgx"
       labels:
         "intel.feature.node.kubernetes.io/sgx": "true"
+      extendedResources:
+        sgx.intel.com/epc: "@cpu.security.sgx.epc"
       matchFeatures:
         - feature: cpu.cpuid
           matchExpressions:

deployments/nfd/components/sgx/master-rbac.yaml

@@ -4,7 +4,6 @@ metadata:
   name: sgxdeviceplugin-sample
 spec:
   image: intel/intel-sgx-plugin:0.26.0
-  initImage: intel/intel-sgx-initcontainer:0.26.0
   enclaveLimit: 110
   provisionLimit: 110
   logLevel: 4