Skip to content

update ansible prepare server script #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SchSeba wants to merge 1 commit into
base: main
Choose a base branch
from
Open

update ansible prepare server script #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions pods/tool-box-pdb.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: toolbox-pdb
namespace: seba
spec:
minAvailable: 1
selector:
matchLabels:
app: dpdk
Copy link

@gemini-code-assist gemini-code-assist bot Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The selector app: dpdk in this PodDisruptionBudget does not match the labels of the pods created by the toolbox deployment (defined in pods/deployment-toolbox.yaml), which are labeled with app: toolbox. Given the PDB's name is toolbox-pdb, it seems intended for that deployment. To fix this, the selector should be updated to match the deployment's pod labels.

      app: toolbox

7 changes: 7 additions & 0 deletions prepare-node-virtual-cluster/prepare-server.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,13 @@
register: kubectl_download
until: kubectl_download is succeeded

- name: Create symbolic link for kubectl binary
file:
src: /usr/local/bin/kubectl
dest: /bin/kubectl
state: link
mode: '0777'
Comment on lines +318 to +323
Copy link

@gemini-code-assist gemini-code-assist bot Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This task creates a symbolic link for kubectl with overly permissive 0777 permissions, which is a security risk as it makes the link world-writable. Additionally, creating symlinks in /bin is less common; /usr/bin is a more standard location and is consistent with how the Go binary is handled earlier in this playbook.

I suggest changing the destination to /usr/bin/kubectl and removing the mode parameter to use secure default permissions.

    - name: Create symbolic link for kubectl binary
      file:
        src: /usr/local/bin/kubectl
        dest: /usr/bin/kubectl
        state: link


- name: Verify kubectl installation
command: kubectl version --client
changed_when: false
Expand Down
45 changes: 45 additions & 0 deletions sriov-configs/test17.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
name: sriov-nic-1
namespace: openshift-sriov-network-operator
spec:
deviceType: netdevice
nicSelector:
pfNames: ["enp41s0"]
nodeSelector:
kubernetes.io/hostname: ocp-virt-worker-0.lab
numVfs: 5
priority: 99
resourceName: sriov_nic_1
mtu: 1500
---
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
name: sriov-nic-2
namespace: openshift-sriov-network-operator
spec:
deviceType: netdevice
nicSelector:
pfNames: ["enp22s0"]
nodeSelector:
kubernetes.io/hostname: ocp-virt-worker-0.lab
Comment on lines +10 to +27
Copy link

@gemini-code-assist gemini-code-assist bot Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The nodeSelector in both SriovNetworkNodePolicy resources (lines 10-11 and 26-27) uses a hardcoded hostname (ocp-virt-worker-0.lab). This ties the configuration to a specific node in a specific environment, which hurts reusability and makes it brittle. Consider using a more generic node label to identify nodes with the required capabilities. For example, you could label the node with something like sriov-nic-type: intel-XX and use that in the selectors.

numVfs: 5
priority: 99
resourceName: sriov_nic_2
mtu: 1500
# externallyManaged: true
---
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetwork
metadata:
name: sriov-network-1
namespace: openshift-sriov-network-operator
spec:
ipam: '{"type": "host-local","ranges": [[{"subnet": "10.0.1.0/24"}]],"dataDir":
"/run/my-orchestrator/container-ipam-state-1"}'
Comment on lines +40 to +41
Copy link

@gemini-code-assist gemini-code-assist bot Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The ipam configuration is specified as a multi-line single-quoted string, which is invalid YAML syntax and will cause parsing errors. The string should be on a single line, or a YAML block scalar should be used for better readability.

  ipam: '{"type": "host-local","ranges": [[{"subnet": "10.0.1.0/24"}]],"dataDir": "/run/my-orchestrator/container-ipam-state-1"}'

networkNamespace: seba
spoofChk: "on"
trust: "on"
resourceName: sriov_nic_1