Skip to content

Add custom labels, securityContext to DaemonSets#2120

Open
faganihajizada wants to merge 1 commit intoNVIDIA:mainfrom
faganihajizada:feat/custom-labels-and-security-context
Open

Add custom labels, securityContext to DaemonSets#2120
faganihajizada wants to merge 1 commit intoNVIDIA:mainfrom
faganihajizada:feat/custom-labels-and-security-context

Conversation

@faganihajizada
Copy link
Contributor

@faganihajizada faganihajizada commented Feb 11, 2026
edited
Loading

Description

Closes #1030

Adds three capabilities to ClusterPolicy:

Custom labels/annotations on validator workload pods: spec.daemonsets.labels and spec.daemonsets.annotations now propagate from the validator DaemonSet pod template onto the standalone CUDA and plugin validator workload pods. Protected selector labels (app, app.kubernetes.io/part-of) are skipped to preserve pod identity.

Custom labels on NFD components: New commonLabels value in the NFD Helm subchart, injected into the shared node-feature-discovery.labels template. Applies to all NFD-managed resources (DaemonSets, Deployments, etc.) without affecting selector labels.

Custom securityContext on DaemonSets:

  • podSecurityContext — sets pod-level security context for all DaemonSet pods (full replace, consistent with how tolerations and priorityClassName are applied)
  • securityContext — sets default container-level security context for all containers and initContainers (merge: only fills nil fields, so component-specific values are preserved)

Design notes

  • Pod-level SecurityContext is full replace, not merge. This matches the existing pattern for tolerations and priorityClassName in applyCommonDaemonsetConfig. No embedded DaemonSet manifest currently sets a pod-level SecurityContext, so there is nothing to lose on replace.

  • Container-level SecurityContext uses nil-field merge. Every container in the operator's DaemonSet manifests already sets privileged: true. A full replace would wipe that. The merge ensures global defaults only fill in what components haven't explicitly set. applyCommonDaemonsetConfig runs before component transforms (t(obj, ...)), so transforms can still override individual fields afterward.

  • mergeSecurityContext is explicit field-by-field (all 12 SecurityContext fields). This is deliberate over reflection or a library, it's readable, has no external dependencies, and matches the codebase style of explicit struct handling.

The issue references "Jobs" but the cuda-validator and plugin-validator are standalone Pods created by the validator DaemonSet, not Jobs. The label propagation targets these Pods.

Checklist

  • No secrets, sensitive information, or unrelated changes
  • Lint checks passing (make lint)
  • Generated assets in-sync (make validate-generated-assets)
  • Go mod artifacts in-sync (make validate-modules)
  • Test cases are added for new code paths

Testing

  • Unit tests for mergeSecurityContext (5 cases: nil target, nil defaults, empty target, merge with existing, no-overwrite)
  • Unit tests for applyCommonDaemonsetConfig (4 new cases: podSecurityContext, nil container SecurityContext, merge into existing, initContainers)
  • Unit tests for applyDaemonsetMetadataToPod (4 cases: no-op, label skip, annotations, nil labels)
  • Unit tests for applyCommonDaemonsetMetadata (existing tests still pass)

@copy-pr-bot
Copy link

copy-pr-bot bot commented Feb 11, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@faganihajizada
Add custom labels, securityContext to DaemonSets
cc94407 
Allow users to configure pod-level and container-level security contexts
globally for all DaemonSets via spec.daemonsets.podSecurityContext and
spec.daemonsets.securityContext. Pod-level replaces the existing context;
container-level merges into each container, preserving fields already set
by component transforms.

Propagate custom labels and annotations from the validator DaemonSet pod
template onto CUDA and plugin workload pods, skipping protected selector
labels ("app", "app.kubernetes.io/part-of").

Add commonLabels support to the NFD Helm subchart so users can inject
additional labels onto all NFD resources.
@faganihajizada faganihajizada force-pushed the feat/custom-labels-and-security-context branch from 57fee73 to cc94407 Compare February 11, 2026 12:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ArangoGutierrez ArangoGutierrez Awaiting requested review from ArangoGutierrez ArangoGutierrez is a code owner

@cdesiniotis cdesiniotis Awaiting requested review from cdesiniotis cdesiniotis is a code owner

@shivamerla shivamerla Awaiting requested review from shivamerla shivamerla is a code owner

@tariq1890 tariq1890 Awaiting requested review from tariq1890 tariq1890 is a code owner

@karthikvetrivel karthikvetrivel Awaiting requested review from karthikvetrivel karthikvetrivel is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow adding custom labels and securityContext to the components deployed by ClusterPolicy

1 participant

@faganihajizada