I'm currently migrating the cockpit project on oc3 to the frontdoor project on oc4.
On oc3 we had access to nodes which have /dev/kvm using a nodeselector which has an oci hook to enable kvm.
Is it possible to get kvm access on ocp4?
Thank you
Metadata Update from @siddharthvipul1: - Issue tagged with: centos-ci-infra
Metadata Update from @siddharthvipul1: - Issue assigned to dkirwan
Metadata Update from @dkirwan: - Issue priority set to: None (was: Needs Review) - Issue tagged with: low-trouble, medium-gain
@gundersanne can you nominate the service account that will have permissions to launch the privileged containers to access kvm.
Metadata Update from @dkirwan: - Issue untagged with: low-trouble, medium-gain - Issue priority set to: Needs Review
If possible the serviceaccount:frontdoor:deployer account. If i understand it correctly we could assign that account to a replication controller which would launch the pods which require kvm.
Or would we need to have a non-default account for this? (I'm not entirely familiar with the service accounts)
Other tenants on the cluster with similar requirements/permissions (privileged security context [1]) of kvm access use a Jenkins instance, with a jenkins service account for example. They launch their workloads using this service account.
jenkins
How do you plan to run these workloads? Is it a manual process or have you some sort of automation? Ideally it would be good to have a service account with the required permissions which you use to launch your workloads.
We use it manually yes, this might change in future when we switch to github actions, but for now the way we use centosci is a replicationcontroller with the pods running continuously, consuming from an amqp queue.
If it would be better to have a separate serviceaccount just for this controller that would be ok too I think.
Hmm I can add the permissions to one/more of your project frontdoor administrator accounts directly either? But yes it would be best to have it on a service account.
frontdoor
Well adding it to the administrators would be easiest for us. The same mentioned in https://pagure.io/centos-infra/issue/116, being
Otherwise if i understand it correctly we would have to impersonate the service account.
@gundersanne I've added the required permission to the three accounts listed, I'll mark this resolved.
Metadata Update from @dkirwan: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
On the cluster there is no need to target a specific node via the nodeselector, any/all should have the required access.
Ideally start investigating the use of the kubevirt operator (https://kubevirt.io/) resources also, in the long run I'd much prefer if tenants were making use of kvm via this operator rather than directly accessing via privileged permissions!
We will start investigating that. Thank you!
Log in to comment on this ticket.