charts/node-feature-discovery/values.yaml

image:
  repository: registry.k8s.io/nfd/node-feature-discovery
  # This should be set to 'IfNotPresent' for released version
  pullPolicy: IfNotPresent
  # tag, if defined will use the given image tag, else Chart.AppVersion will be used
  # tag
imagePullSecrets: []

nameOverride: ""
fullnameOverride: ""
namespaceOverride: ""

enableNodeFeatureApi: true

master:
  enable: true
  config: ### <NFD-MASTER-CONF-START-DO-NOT-REMOVE>
    # noPublish: false
    # autoDefaultNs: true
    # extraLabelNs: ["added.ns.io","added.kubernets.io"]
    # denyLabelNs: ["denied.ns.io","denied.kubernetes.io"]
    # resourceLabels: ["vendor-1.com/feature-1","vendor-2.io/feature-2"]
    # enableTaints: false
    # labelWhiteList: "foo"
    # resyncPeriod: "2h"
    # klog:
    #    addDirHeader: false
    #    alsologtostderr: false
    #    logBacktraceAt:
    #    logtostderr: true
    #    skipHeaders: false
    #    stderrthreshold: 2
    #    v: 0
    #    vmodule:
    ##   NOTE: the following options are not dynamically run-time configurable
    ##         and require a nfd-master restart to take effect after being changed
    #    logDir:
    #    logFile:
    #    logFileMaxSize: 1800
    #    skipLogHeaders: false
    # leaderElection:
    #   leaseDuration: 15s
    #   # this value has to be lower than leaseDuration and greater than retryPeriod*1.2
    #   renewDeadline: 10s
    #   # this value has to be greater than 0
    #   retryPeriod: 2s
    # nfdApiParallelism: 10
  ### <NFD-MASTER-CONF-END-DO-NOT-REMOVE>
  # The TCP port that nfd-master listens for incoming requests. Default: 8080
  # Deprecated this parameter is related to the deprecated gRPC API and will
  # be removed with it in a future release  
  port: 8080
  metricsPort: 8081
  instance:
  featureApi:
  resyncPeriod:
  denyLabelNs: []
  extraLabelNs: []
  resourceLabels: []
  enableTaints: false
  crdController: null
  featureRulesController: null
  nfdApiParallelism: null
  deploymentAnnotations: {}
  replicaCount: 1

  podSecurityContext: {}
    # fsGroup: 2000

  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop: [ "ALL" ]
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    # runAsUser: 1000

  serviceAccount:
    # Specifies whether a service account should be created
    create: true
    # Annotations to add to the service account
    annotations: {}
    # The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    name:

  rbac:
    create: true

  service:
    type: ClusterIP
    port: 8080

  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi

  nodeSelector: {}

  tolerations:
  - key: "node-role.kubernetes.io/master"
    operator: "Equal"
    value: ""
    effect: "NoSchedule"
  - key: "node-role.kubernetes.io/control-plane"
    operator: "Equal"
    value: ""
    effect: "NoSchedule"

  annotations: {}

  affinity:
    nodeAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 1
          preference:
            matchExpressions:
              - key: "node-role.kubernetes.io/master"
                operator: In
                values: [""]
        - weight: 1
          preference:
            matchExpressions:
              - key: "node-role.kubernetes.io/control-plane"
                operator: In
                values: [""]

worker:
  enable: true
  config: ### <NFD-WORKER-CONF-START-DO-NOT-REMOVE>
    #core:
    #  labelWhiteList:
    #  noPublish: false
    #  sleepInterval: 60s
    #  featureSources: [all]
    #  labelSources: [all]
    #  klog:
    #    addDirHeader: false
    #    alsologtostderr: false
    #    logBacktraceAt:
    #    logtostderr: true
    #    skipHeaders: false
    #    stderrthreshold: 2
    #    v: 0
    #    vmodule:
    ##   NOTE: the following options are not dynamically run-time configurable
    ##         and require a nfd-worker restart to take effect after being changed
    #    logDir:
    #    logFile:
    #    logFileMaxSize: 1800
    #    skipLogHeaders: false
    #sources:
    #  cpu:
    #    cpuid:
    ##     NOTE: whitelist has priority over blacklist
    #      attributeBlacklist:
    #        - "BMI1"
    #        - "BMI2"
    #        - "CLMUL"
    #        - "CMOV"
    #        - "CX16"
    #        - "ERMS"
    #        - "F16C"
    #        - "HTT"
    #        - "LZCNT"
    #        - "MMX"
    #        - "MMXEXT"
    #        - "NX"
    #        - "POPCNT"
    #        - "RDRAND"
    #        - "RDSEED"
    #        - "RDTSCP"
    #        - "SGX"
    #        - "SSE"
    #        - "SSE2"
    #        - "SSE3"
    #        - "SSE4"
    #        - "SSE42"
    #        - "SSSE3"
    #        - "TDX_GUEST"
    #      attributeWhitelist:
    #  kernel:
    #    kconfigFile: "/path/to/kconfig"
    #    configOpts:
    #      - "NO_HZ"
    #      - "X86"
    #      - "DMI"
    #  pci:
    #    deviceClassWhitelist:
    #      - "0200"
    #      - "03"
    #      - "12"
    #    deviceLabelFields:
    #      - "class"
    #      - "vendor"
    #      - "device"
    #      - "subsystem_vendor"
    #      - "subsystem_device"
    #  usb:
    #    deviceClassWhitelist:
    #      - "0e"
    #      - "ef"
    #      - "fe"
    #      - "ff"
    #    deviceLabelFields:
    #      - "class"
    #      - "vendor"
    #      - "device"
    #  local:
    #    hooksEnabled: false
    #  custom:
    #    # The following feature demonstrates the capabilities of the matchFeatures
    #    - name: "my custom rule"
    #      labels:
    #        "vendor.io/my-ng-feature": "true"
    #      # matchFeatures implements a logical AND over all matcher terms in the
    #      # list (i.e. all of the terms, or per-feature matchers, must match)
    #      matchFeatures:
    #        - feature: cpu.cpuid
    #          matchExpressions:
    #            AVX512F: {op: Exists}
    #        - feature: cpu.cstate
    #          matchExpressions:
    #            enabled: {op: IsTrue}
    #        - feature: cpu.pstate
    #          matchExpressions:
    #            no_turbo: {op: IsFalse}
    #            scaling_governor: {op: In, value: ["performance"]}
    #        - feature: cpu.rdt
    #          matchExpressions:
    #            RDTL3CA: {op: Exists}
    #        - feature: cpu.sst
    #          matchExpressions:
    #            bf.enabled: {op: IsTrue}
    #        - feature: cpu.topology
    #          matchExpressions:
    #            hardware_multithreading: {op: IsFalse}
    #
    #        - feature: kernel.config
    #          matchExpressions:
    #            X86: {op: Exists}
    #            LSM: {op: InRegexp, value: ["apparmor"]}
    #        - feature: kernel.loadedmodule
    #          matchExpressions:
    #            e1000e: {op: Exists}
    #        - feature: kernel.selinux
    #          matchExpressions:
    #            enabled: {op: IsFalse}
    #        - feature: kernel.version
    #          matchExpressions:
    #            major: {op: In, value: ["5"]}
    #            minor: {op: Gt, value: ["10"]}
    #
    #        - feature: storage.block
    #          matchExpressions:
    #            rotational: {op: In, value: ["0"]}
    #            dax: {op: In, value: ["0"]}
    #
    #        - feature: network.device
    #          matchExpressions:
    #            operstate: {op: In, value: ["up"]}
    #            speed: {op: Gt, value: ["100"]}
    #
    #        - feature: memory.numa
    #          matchExpressions:
    #            node_count: {op: Gt, value: ["2"]}
    #        - feature: memory.nv
    #          matchExpressions:
    #            devtype: {op: In, value: ["nd_dax"]}
    #            mode: {op: In, value: ["memory"]}
    #
    #        - feature: system.osrelease
    #          matchExpressions:
    #            ID: {op: In, value: ["fedora", "centos"]}
    #        - feature: system.name
    #          matchExpressions:
    #            nodename: {op: InRegexp, value: ["^worker-X"]}
    #
    #        - feature: local.label
    #          matchExpressions:
    #            custom-feature-knob: {op: Gt, value: ["100"]}
    #
    #    # The following feature demonstrates the capabilities of the matchAny
    #    - name: "my matchAny rule"
    #      labels:
    #        "vendor.io/my-ng-feature-2": "my-value"
    #      # matchAny implements a logical IF over all elements (sub-matchers) in
    #      # the list (i.e. at least one feature matcher must match)
    #      matchAny:
    #        - matchFeatures:
    #            - feature: kernel.loadedmodule
    #              matchExpressions:
    #                driver-module-X: {op: Exists}
    #            - feature: pci.device
    #              matchExpressions:
    #                vendor: {op: In, value: ["8086"]}
    #                class: {op: In, value: ["0200"]}
    #        - matchFeatures:
    #            - feature: kernel.loadedmodule
    #              matchExpressions:
    #                driver-module-Y: {op: Exists}
    #            - feature: usb.device
    #              matchExpressions:
    #                vendor: {op: In, value: ["8086"]}
    #                class: {op: In, value: ["02"]}
    #
    #    - name: "avx wildcard rule"
    #      labels:
    #        "my-avx-feature": "true"
    #      matchFeatures:
    #        - feature: cpu.cpuid
    #          matchName: {op: InRegexp, value: ["^AVX512"]}
    #
    #    # The following features demonstreate label templating capabilities
    #    - name: "my template rule"
    #      labelsTemplate: |
    #        {{ range .system.osrelease }}vendor.io/my-system-feature.{{ .Name }}={{ .Value }}
    #        {{ end }}
    #      matchFeatures:
    #        - feature: system.osrelease
    #          matchExpressions:
    #            ID: {op: InRegexp, value: ["^open.*"]}
    #            VERSION_ID.major: {op: In, value: ["13", "15"]}
    #
    #    - name: "my template rule 2"
    #      labelsTemplate: |
    #        {{ range .pci.device }}vendor.io/my-pci-device.{{ .class }}-{{ .device }}=with-cpuid
    #        {{ end }}
    #      matchFeatures:
    #        - feature: pci.device
    #          matchExpressions:
    #            class: {op: InRegexp, value: ["^06"]}
    #            vendor: ["8086"]
    #        - feature: cpu.cpuid
    #          matchExpressions:
    #            AVX: {op: Exists}
    #
    #    # The following examples demonstrate vars field and back-referencing
    #    # previous labels and vars
    #    - name: "my dummy kernel rule"
    #      labels:
    #        "vendor.io/my.kernel.feature": "true"
    #      matchFeatures:
    #        - feature: kernel.version
    #          matchExpressions:
    #            major: {op: Gt, value: ["2"]}
    #
    #    - name: "my dummy rule with no labels"
    #      vars:
    #        "my.dummy.var": "1"
    #      matchFeatures:
    #        - feature: cpu.cpuid
    #          matchExpressions: {}
    #
    #    - name: "my rule using backrefs"
    #      labels:
    #        "vendor.io/my.backref.feature": "true"
    #      matchFeatures:
    #        - feature: rule.matched
    #          matchExpressions:
    #            vendor.io/my.kernel.feature: {op: IsTrue}
    #            my.dummy.var: {op: Gt, value: ["0"]}
    #
    #    - name: "kconfig template rule"
    #      labelsTemplate: |
    #        {{ range .kernel.config }}kconfig-{{ .Name }}={{ .Value }}
    #        {{ end }}
    #      matchFeatures:
    #        - feature: kernel.config
    #          matchName: {op: In, value: ["SWAP", "X86", "ARM"]}
### <NFD-WORKER-CONF-END-DO-NOT-REMOVE>

  metricsPort: 8081
  daemonsetAnnotations: {}
  podSecurityContext: {}
    # fsGroup: 2000

  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop: [ "ALL" ]
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    # runAsUser: 1000

  serviceAccount:
    # Specifies whether a service account should be created.
    # We create this by default to make it easier for downstream users to apply PodSecurityPolicies.
    create: true
    # Annotations to add to the service account
    annotations: {}
    # The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    name:

  rbac:
    create: true

  # Allow users to mount the hostPath /usr/src, useful for RHCOS on s390x
  # Does not work on systems without /usr/src AND a read-only /usr, such as Talos
  mountUsrSrc: false

  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi

  nodeSelector: {}

  tolerations: []

  annotations: {}

  affinity: {}

  priorityClassName: ""

topologyUpdater:
  config: ### <NFD-TOPOLOGY-UPDATER-CONF-START-DO-NOT-REMOVE>
    ## key = node name, value = list of resources to be excluded.
    ## use * to exclude from all nodes.
    ## an example for how the exclude list should looks like
    #excludeList:
    #  node1: [cpu]
    #  node2: [memory, example/deviceA]
    #  *: [hugepages-2Mi]
### <NFD-TOPOLOGY-UPDATER-CONF-END-DO-NOT-REMOVE>

  enable: false
  createCRDs: false

  serviceAccount:
    create: true
    annotations: {}
    name:
  rbac:
    create: true

  metricsPort: 8081
  kubeletConfigPath:
  kubeletPodResourcesSockPath:
  updateInterval: 60s
  watchNamespace: "*"
  kubeletStateDir: /var/lib/kubelet

  podSecurityContext: {}
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop: [ "ALL" ]
    readOnlyRootFilesystem: true
    runAsUser: 0

  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi

  nodeSelector: {}
  tolerations: []
  annotations: {}
  daemonsetAnnotations: {}
  affinity: {}
  podSetFingerprint: true

gc:
  enable: true
  replicaCount: 1

  serviceAccount:
    create: true
    annotations: {}
    name:
  rbac:
    create: true

  interval: 1h

  podSecurityContext: {}

  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi

  metricsPort: 8081

  nodeSelector: {}
  tolerations: []
  annotations: {}
  deploymentAnnotations: {}
  affinity: {}

# Optionally use encryption for worker <--> master comms
# TODO: verify hostname is not yet supported
#
# If you do not enable certManager (and have it installed) you will
# need to manually, or otherwise, provision the TLS certs as secrets
tls:
  enable: false
  certManager: false

prometheus:
  enable: false
  labels: {}