Intel FPGA admission controller for Kubernetes

Table of Contents

Introduction

The FPGA admission controller is one of the components used to add support for Intel FPGA devices to Kubernetes.

NOTE: Installation of the FPGA admission controller can be skipped if the FPGA device plugin is operated with the Intel Device Plugins Operator since it integrates the controller’s functionality.

The FPGA admission controller webhook is responsible for performing mapping from user-friendly function IDs to the Interface ID and Bitstream ID that are required for FPGA programming by the FPGA OCI createRuntime hook.

Mappings are stored in namespaced custom resource definition (CRD) objects, therefore the admission controller also performs access control, determining which bitstream can be used for which namespace. More details can be found in the Mappings section.

The admission controller also keeps the user from bypassing namespaced mapping restrictions, by denying admission of any pods that are trying to use internal knowledge of InterfaceID or Bitstream ID environment variables used by the createRuntime hook.

Dependencies

This component is one of a set of components that work together. You may also want to install the following:

All components have the same basic dependencies as the generic plugin framework dependencies

Installation

The following sections detail how to obtain, build and deploy the admission controller webhook plugin.

Pre-requisites

The default webhook deployment depends on having cert-manager installed. See its installation instructions here.

Note: The default deployment for the Intel FPGA webhook uses self-signed certificates. For a production cluster, the certificate issuer should be properly set and not use a self-signed method.

Also if your cluster operates behind a corporate proxy make sure that the API server is configured not to send requests to cluster services through the proxy. You can check that with the following command:

$ kubectl describe pod kube-apiserver --namespace kube-system | grep -i no_proxy | grep "\.svc"

In case there’s no output and your cluster was deployed with kubeadm open /etc/kubernetes/manifests/kube-apiserver.yaml at the control plane nodes and append .svc and .svc.cluster.local to the no_proxy environment variable:

apiVersion: v1
kind: Pod
metadata:
  ...
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=10.237.71.99
    ...
    env:
    - name: http_proxy
      value: http://proxy.host:8080
    - name: https_proxy
      value: http://proxy.host:8433
    - name: no_proxy
      value: 127.0.0.1,localhost,.example.com,10.0.0.0/8,.svc,.svc.cluster.local
    ...

Note: To build clusters using kubeadm with the right no_proxy settings from the very beginning, set the cluster service names to $no_proxy before kubeadm init:

$ export no_proxy=$no_proxy,.svc,.svc.cluster.local

Mappings

Mappings is a an essential part of the setup that gives a flexible instrument to a cluster administrator to manage FPGA bitstreams and to control access to them. Being a set of custom resource definitions they are used to configure the way FPGA resource requests get translated into actual resources provided by the cluster.

For the following mapping

apiVersion: fpga.intel.com/v2
kind: AcceleratorFunction
metadata:
  name: arria10.dcp1.2-nlb0-preprogrammed
spec:
  afuId: d8424dc4a4a3c413f89e433683f9040b
  interfaceId: 69528db6eb31577a8c3668f9faa081f6
  mode: af

requested FPGA resources are translated to AF resources. For example, fpga.intel.com/arria10.dcp1.2-nlb0-preprogrammed is translated to fpga.intel.com/af-695.d84.aVKNtusxV3qMNmj5-qCB9thCTcSko8QT-J5DNoP5BAs where the af- prefix indicates the plugin’s mode (af), 695 is the first three characters of the region interface ID, d84 is the first three characters of the accelerator function ID and the last part aVKNtusxV3qMNmj5-qCB9thCTcSko8QT-J5DNoP5BAs is a base64-encoded concatenation of the full region interface ID and accelerator function ID. The format of resource names (e.g. arria10.dcp1.2-nlb0-preprogrammed) can be any and is up to a cluster administrator.

The same mapping, but with its mode field set to region, would translate fpga.intel.com/arria10.dcp1.2-nlb0-preprogrammed to fpga.intel.com/region-69528db6eb31577a8c3668f9faa081f6, and the corresponding AF IDs are set in environment variables for the container. Though in this case the cluster administrator would probably want to rename the mapping arria10.dcp1.2-nlb0-preprogrammed to something like arria10.dcp1.2-nlb0-orchestrated to reflect its mode. The FPGA OCI createRuntime hook then loads the requested bitstream to a region before the container is started.

Mappings of resource names are configured with objects of AcceleratorFunction and FpgaRegion custom resource definitions found respectively in ./deployment/fpga_admissionwebhook/crd/bases/fpga.intel.com_af.yaml and ./deployment/fpga_admissionwebhook/crd/bases/fpga.intel.com_region.yaml.

Example mappings between ‘names’ and ‘ID’s are controlled by the admission controller mappings collection file found in ./deployments/fpga_admissionwebhook/mappings-collection.yaml.

Deployment

Webhook deployment

To deploy the webhook, run

$ kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/fpga_admissionwebhook/default?ref=main
namespace/intelfpgawebhook-system created
customresourcedefinition.apiextensions.k8s.io/acceleratorfunctions.fpga.intel.com created
customresourcedefinition.apiextensions.k8s.io/fpgaregions.fpga.intel.com created
mutatingwebhookconfiguration.admissionregistration.k8s.io/intelfpgawebhook-mutating-webhook-configuration created
clusterrole.rbac.authorization.k8s.io/intelfpgawebhook-manager-role created
clusterrolebinding.rbac.authorization.k8s.io/intelfpgawebhook-manager-rolebinding created
service/intelfpgawebhook-webhook-service created
deployment.apps/intelfpgawebhook-webhook created
certificate.cert-manager.io/intelfpgawebhook-serving-cert created
issuer.cert-manager.io/intelfpgawebhook-selfsigned-issuer created

Mappings deployment

Mappings deployment is a mandatory part of the webhook deployment. You should prepare and deploy mappings that describe FPGA bitstreams available in your cluster.

Example mappings collection ./deployments/fpga_admissionwebhook/mappings-collection.yaml can be used as an example for cluster mappings. This collection is not intended to be deployed as is, it should be used as a reference and example of your own cluster mappings.

To deploy the mappings, run

$ kubectl apply -f <path to mappings yaml>

Note that the mappings are scoped to the namespaces they were created in and they are applicable to pods created in the corresponding namespaces.

Next steps

Continue with FPGA OCI createRuntime hook.