Remove runtime class

Signed-off-by: Simon Davies <[email protected]>

Author: simongdavies

README.md

@@ -80,7 +80,8 @@ kind: Pod
 metadata:
   name: my-hyperlight-app
 spec:
-  runtimeClassName: hyperlight-kvm  # or hyperlight-mshv
+  nodeSelector:
+    hyperlight.dev/hypervisor: kvm  # or mshv
   automountServiceAccountToken: false
   securityContext:
     runAsNonRoot: true

deploy/azure/setup.sh

@@ -157,7 +157,6 @@ create_kvm_nodepool() {
             --min-count "${KVM_NODE_MIN_COUNT}" \
             --max-count "${KVM_NODE_MAX_COUNT}" \
             --labels "hyperlight.dev/hypervisor=kvm" "hyperlight.dev/enabled=true" \
-            --node-taints "hyperlight.dev/hypervisor=kvm:NoSchedule" \
             --mode User \
             --ssh-access disabled \
             -o none
@@ -184,7 +183,6 @@ create_mshv_nodepool() {
             --min-count "${MSHV_NODE_MIN_COUNT}" \
             --max-count "${MSHV_NODE_MAX_COUNT}" \
             --labels "hyperlight.dev/hypervisor=mshv" "hyperlight.dev/enabled=true" \
-            --node-taints "hyperlight.dev/hypervisor=mshv:NoSchedule" \
             --mode User \
             --ssh-access disabled \
             -o none

deploy/local/device-plugin.yaml

@@ -24,44 +24,6 @@ metadata:
     app.kubernetes.io/name: hyperlight-system
     app.kubernetes.io/part-of: hyperlight
 
----
-# RuntimeClass for KVM-based Hyperlight workloads
-apiVersion: node.k8s.io/v1
-kind: RuntimeClass
-metadata:
-  name: hyperlight-kvm
-  labels:
-    app.kubernetes.io/name: hyperlight-kvm
-    app.kubernetes.io/part-of: hyperlight
-handler: runc
-scheduling:
-  nodeSelector:
-    hyperlight.dev/hypervisor: kvm
-  tolerations:
-    - key: "hyperlight.dev/hypervisor"
-      operator: "Equal"
-      value: "kvm"
-      effect: "NoSchedule"
-
----
-# RuntimeClass for MSHV-based Hyperlight workloads
-apiVersion: node.k8s.io/v1
-kind: RuntimeClass
-metadata:
-  name: hyperlight-mshv
-  labels:
-    app.kubernetes.io/name: hyperlight-mshv
-    app.kubernetes.io/part-of: hyperlight
-handler: runc
-scheduling:
-  nodeSelector:
-    hyperlight.dev/hypervisor: mshv
-  tolerations:
-    - key: "hyperlight.dev/hypervisor"
-      operator: "Equal"
-      value: "mshv"
-      effect: "NoSchedule"
-
 ---
 # ServiceAccount for device plugin
 apiVersion: v1
@@ -99,11 +61,6 @@ spec:
       # Only run on nodes with hyperlight enabled
       nodeSelector:
         hyperlight.dev/enabled: "true"
-      # Tolerate hypervisor taints
-      tolerations:
-        - key: "hyperlight.dev/hypervisor"
-          operator: "Exists"
-          effect: "NoSchedule"
       priorityClassName: system-node-critical
       containers:
         - name: device-plugin

deploy/local/setup.sh

@@ -98,7 +98,7 @@ EOF
 }
 
 setup_node_labels() {
-    log_info "Setting up node labels and taints..."
+    log_info "Setting up node labels..."
 
     # The labels are set in kind-config.yaml, but let's ensure they exist
     local node
@@ -107,9 +107,6 @@ setup_node_labels() {
     kubectl label node "${node}" hyperlight.dev/enabled=true --overwrite
     kubectl label node "${node}" hyperlight.dev/hypervisor=kvm --overwrite
 
-    # Add taint (optional for local dev, but matches production)
-    kubectl taint node "${node}" hyperlight.dev/hypervisor=kvm:NoSchedule --overwrite 2>/dev/null || true
-    
     log_success "Node configured"
 }
 

deploy/manifests/device-plugin.yaml

@@ -8,44 +8,6 @@ metadata:
     app.kubernetes.io/name: hyperlight-system
     app.kubernetes.io/part-of: hyperlight
 
----
-# RuntimeClass for KVM-based Hyperlight workloads
-apiVersion: node.k8s.io/v1
-kind: RuntimeClass
-metadata:
-  name: hyperlight-kvm
-  labels:
-    app.kubernetes.io/name: hyperlight-kvm
-    app.kubernetes.io/part-of: hyperlight
-handler: runc
-scheduling:
-  nodeSelector:
-    hyperlight.dev/hypervisor: kvm
-  tolerations:
-    - key: "hyperlight.dev/hypervisor"
-      operator: "Equal"
-      value: "kvm"
-      effect: "NoSchedule"
-
----
-# RuntimeClass for MSHV-based Hyperlight workloads
-apiVersion: node.k8s.io/v1
-kind: RuntimeClass
-metadata:
-  name: hyperlight-mshv
-  labels:
-    app.kubernetes.io/name: hyperlight-mshv
-    app.kubernetes.io/part-of: hyperlight
-handler: runc
-scheduling:
-  nodeSelector:
-    hyperlight.dev/hypervisor: mshv
-  tolerations:
-    - key: "hyperlight.dev/hypervisor"
-      operator: "Equal"
-      value: "mshv"
-      effect: "NoSchedule"
-
 ---
 # ServiceAccount for device plugin
 apiVersion: v1
@@ -83,11 +45,6 @@ spec:
       # Only run on nodes with hyperlight enabled
       nodeSelector:
         hyperlight.dev/enabled: "true"
-      # Tolerate hypervisor taints
-      tolerations:
-        - key: "hyperlight.dev/hypervisor"
-          operator: "Exists"
-          effect: "NoSchedule"
       priorityClassName: system-node-critical
       containers:
         - name: device-plugin

deploy/manifests/examples/deployment-kvm.yaml

@@ -21,8 +21,9 @@ spec:
         app.kubernetes.io/name: hyperlight-app
         hyperlight.dev/hypervisor: kvm
     spec:
-      runtimeClassName: hyperlight-kvm
-      # Disable K8s API access - most apps don't need it
+      nodeSelector:
+        hyperlight.dev/hypervisor: kvm
+      # Disable K8s API access
       automountServiceAccountToken: false
       # Explicitly disable host namespaces
       hostNetwork: false

deploy/manifests/examples/deployment-mshv.yaml

@@ -21,8 +21,9 @@ spec:
         app.kubernetes.io/name: hyperlight-app
         hyperlight.dev/hypervisor: mshv
     spec:
-      runtimeClassName: hyperlight-mshv
-      # Disable K8s API access - most apps don't need it
+      nodeSelector:
+        hyperlight.dev/hypervisor: mshv
+      # Disable K8s API access 
       automountServiceAccountToken: false
       # Explicitly disable host namespaces
       hostNetwork: false

deploy/manifests/examples/test-pod-kvm.yaml

@@ -9,7 +9,8 @@ metadata:
     app.kubernetes.io/name: hyperlight-test
     hyperlight.dev/hypervisor: kvm
 spec:
-  runtimeClassName: hyperlight-kvm
+  nodeSelector:
+    hyperlight.dev/hypervisor: kvm
   containers:
     - name: test
       image: alpine:3.19

deploy/manifests/examples/test-pod-mshv.yaml

@@ -9,7 +9,8 @@ metadata:
     app.kubernetes.io/name: hyperlight-test
     hyperlight.dev/hypervisor: mshv
 spec:
-  runtimeClassName: hyperlight-mshv
+  nodeSelector:
+    hyperlight.dev/hypervisor: mshv
   containers:
     - name: test
       image: alpine:3.19

device-plugin/Dockerfile

@@ -17,8 +17,7 @@ RUN apk --no-cache add ca-certificates
 
 COPY --from=builder /app/hyperlight-device-plugin /usr/local/bin/
 
-# Run as non-root
-RUN adduser -D -u 1000 hyperlight
-USER hyperlight
+# Note: Runs as root (runAsUser: 0) in Kubernetes - required for
+# write access to /var/lib/kubelet/device-plugins and /var/run/cdi
 
 ENTRYPOINT ["hyperlight-device-plugin"]