feat(helm): Allow control of hostUsers

jcpunk · jcpunk · commit a17921240775 · 2026-01-13T11:46:35.000-06:00
Fixes: #2397 Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
diff --git a/deployment/helm/node-feature-discovery/README.md b/deployment/helm/node-feature-discovery/README.md
@@ -175,6 +175,7 @@ NFD.
 | master.extraArgs | list | `[]` | Additional [command line arguments](https://kubernetes-sigs.github.io/node-feature-discovery/master/reference/master-commandline-reference) to pass to nfd-master. |
 | master.extraEnvs | list | `[]` | Additional environment variables to set in the nfd-master container. |
 | master.hostNetwork | bool | `false` | Run the container in the host's network namespace. |
+| master.hostUsers | string | `nil` | Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true. |
 | master.dnsPolicy | string | `"ClusterFirstWithHostNet"` | NFD master pod [dnsPolicy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). |
 | master.config | string | `nil` | NFD master [configuration](https://kubernetes-sigs.github.io/node-feature-discovery/master/reference/master-configuration-reference). |
 | master.port | int | `8080` | Port on which to serve http for metrics and healthz endpoints. |
@@ -228,6 +229,7 @@ NFD.
 | worker.extraArgs | list | `[]` | Additional [command line arguments](https://kubernetes-sigs.github.io/node-feature-discovery/master/reference/worker-commandline-reference) to pass to nfd-worker. |
 | worker.extraEnvs | list | `[]` | Additional environment variables to set in the nfd-worker container. |
 | worker.hostNetwork | bool | `false` | Run the container in the host's network namespace. |
+| worker.hostUsers | string | `nil` | Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true. |
 | worker.dnsPolicy | string | `"ClusterFirstWithHostNet"` | NFD worker pod [dnsPolicy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-policy). |
 | worker.config | string | `nil` | NFD worker [configuration](https://kubernetes-sigs.github.io/node-feature-discovery/master/reference/worker-configuration-reference). |
 | worker.port | int | `8080` | Port on which to serve http for metrics and healthz endpoints. |
@@ -271,6 +273,7 @@ NFD.
 | topologyUpdater.extraArgs | list | `[]` | Additional [command line arguments](https://kubernetes-sigs.github.io/node-feature-discovery/master/reference/topology-updater-commandline-reference) to pass to nfd-topology-updater. |
 | topologyUpdater.extraEnvs | list | `[]` | Additional environment variables to set in the nfd-topology-updater container. |
 | topologyUpdater.hostNetwork | bool | `false` | Run the container in the host's network namespace. |
+| topologyUpdater.hostUsers | string | `nil` | Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true. |
 | topologyUpdater.dnsPolicy | string | `"ClusterFirstWithHostNet"` | NFD topology updater pod [dnsPolicy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-policy). |
 | topologyUpdater.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | topologyUpdater.serviceAccount.annotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations) to add to the service account. |
@@ -314,6 +317,7 @@ NFD.
 | gc.extraArgs | list | `[]` | Additional [command line arguments](https://kubernetes-sigs.github.io/node-feature-discovery/master/reference/gc-commandline-reference) to pass to nfd-gc. |
 | gc.extraEnvs | list | `[]` | Additional environment variables to set in the nfd-gc container. |
 | gc.hostNetwork | bool | `false` | Run the container in the host's network namespace. |
+| gc.hostUsers | string | `nil` | Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true. |
 | gc.replicaCount | int | `1` | The number of desired replicas for the nfd-gc Deployment. |
 | gc.dnsPolicy | string | `"ClusterFirstWithHostNet"` | NFD gc pod [dnsPolicy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-policy). |
 | gc.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
diff --git a/deployment/helm/node-feature-discovery/templates/master.yaml b/deployment/helm/node-feature-discovery/templates/master.yaml
@@ -42,6 +42,9 @@ spec:
       securityContext:
         {{- toYaml .Values.master.podSecurityContext | nindent 8 }}
       hostNetwork: {{ .Values.master.hostNetwork }}
+      {{- if kindIs "bool" .Values.master.hostUsers }}
+      hostUsers: {{ .Values.master.hostUsers }}
+      {{- end }}
       containers:
         - name: master
           securityContext:
diff --git a/deployment/helm/node-feature-discovery/templates/nfd-gc.yaml b/deployment/helm/node-feature-discovery/templates/nfd-gc.yaml
@@ -40,6 +40,9 @@ spec:
       securityContext:
         {{- toYaml .Values.gc.podSecurityContext | nindent 8 }}
       hostNetwork: {{ .Values.gc.hostNetwork }}
+      {{- if kindIs "bool" .Values.gc.hostUsers }}
+      hostUsers: {{ .Values.gc.hostUsers }}
+      {{- end }}
       containers:
       - name: gc
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
diff --git a/deployment/helm/node-feature-discovery/templates/topologyupdater.yaml b/deployment/helm/node-feature-discovery/templates/topologyupdater.yaml
@@ -40,6 +40,9 @@ spec:
       securityContext:
         {{- toYaml .Values.topologyUpdater.podSecurityContext | nindent 8 }}
       hostNetwork: {{ .Values.topologyUpdater.hostNetwork }}
+      {{- if kindIs "bool" .Values.topologyUpdater.hostUsers }}
+      hostUsers: {{ .Values.topologyUpdater.hostUsers }}
+      {{- end }}
       containers:
       - name: topology-updater
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
diff --git a/deployment/helm/node-feature-discovery/templates/worker.yaml b/deployment/helm/node-feature-discovery/templates/worker.yaml
@@ -44,6 +44,9 @@ spec:
       securityContext:
         {{- toYaml .Values.worker.podSecurityContext | nindent 8 }}
       hostNetwork: {{ .Values.worker.hostNetwork }}
+      {{- if kindIs "bool" .Values.worker.hostUsers }}
+      hostUsers: {{ .Values.worker.hostUsers }}
+      {{- end }}
       containers:
       - name: worker
         securityContext:
diff --git a/deployment/helm/node-feature-discovery/values.schema.json b/deployment/helm/node-feature-discovery/values.schema.json
@@ -55,6 +55,13 @@
                     "description": "Run the container in the host's network namespace.",
                     "type": "boolean"
                 },
+                "hostUsers": {
+                    "description": "Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true.",
+                    "type": [
+                        "boolean",
+                        "null"
+                    ]
+                },
                 "interval": {
                     "description": "Time between periodic garbage collector runs.",
                     "type": "string"
@@ -328,6 +335,13 @@
                     "description": "Run the container in the host's network namespace.",
                     "type": "boolean"
                 },
+                "hostUsers": {
+                    "description": "Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true.",
+                    "type": [
+                        "boolean",
+                        "null"
+                    ]
+                },
                 "instance": {
                     "description": "Instance name. Used to separate annotation namespaces for multiple parallel deployments.",
                     "type": [
@@ -645,6 +659,13 @@
                     "description": "Run the container in the host's network namespace.",
                     "type": "boolean"
                 },
+                "hostUsers": {
+                    "description": "Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true.",
+                    "type": [
+                        "boolean",
+                        "null"
+                    ]
+                },
                 "kubeletConfigPath": {
                     "description": "Host path for the kubelet config file.",
                     "type": [
@@ -878,6 +899,13 @@
                     "description": "Run the container in the host's network namespace.",
                     "type": "boolean"
                 },
+                "hostUsers": {
+                    "description": "Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true.",
+                    "type": [
+                        "boolean",
+                        "null"
+                    ]
+                },
                 "labels": {
                     "description": "[Labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to add to the nfd-worker pods.",
                     "$ref": "#/$defs/_definitions.json/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels",
diff --git a/deployment/helm/node-feature-discovery/values.yaml b/deployment/helm/node-feature-discovery/values.yaml
@@ -65,6 +65,10 @@ master:
   # -- Run the container in the host's network namespace.
   # @section -- NFD-Master
   hostNetwork: false
+  # @schema type: [boolean, null]
+  # -- Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true.
+  # @section -- NFD-Master
+  hostUsers: NULL
   # @enum: [Default, ClusterFirst, ClusterFirstWithHostNet, None]
   # -- NFD master pod [dnsPolicy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy).
   # @section -- NFD-Master
@@ -342,6 +346,10 @@ worker:
   # -- Run the container in the host's network namespace.
   # @section -- NFD-Worker
   hostNetwork: false
+  # @schema type: [boolean, null]
+  # -- Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true.
+  # @section -- NFD-Worker
+  hostUsers: NULL
   # @enum: [Default, ClusterFirst, ClusterFirstWithHostNet, None]
   # -- NFD worker pod [dnsPolicy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-policy).
   # @section -- NFD-Worker
@@ -768,6 +776,10 @@ topologyUpdater:
   # -- Run the container in the host's network namespace.
   # @section -- NFD-Topology-Updater
   hostNetwork: false
+  # @schema type: [boolean, null]
+  # -- Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true.
+  # @section -- NFD-Topology-Updater
+  hostUsers: NULL
   # @enum: [Default, ClusterFirst, ClusterFirstWithHostNet, None]
   # -- NFD topology updater pod [dnsPolicy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-policy).
   # @section -- NFD-Topology-Updater
@@ -936,6 +948,10 @@ gc:
   # -- Run the container in the host's network namespace.
   # @section -- NFD-GC
   hostNetwork: false
+  # @schema type: [boolean, null]
+  # -- Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true.
+  # @section -- NFD-GC
+  hostUsers: NULL
   # -- The number of desired replicas for the nfd-gc Deployment.
   # @section -- NFD-GC
   replicaCount: 1
diff --git a/docs/deployment/helm.md b/docs/deployment/helm.md
@@ -193,6 +193,7 @@ NFD.
 | master.extraArgs | list | `[]` | Additional [command line arguments](https://kubernetes-sigs.github.io/node-feature-discovery/master/reference/master-commandline-reference) to pass to nfd-master. |
 | master.extraEnvs | list | `[]` | Additional environment variables to set in the nfd-master container. |
 | master.hostNetwork | bool | `false` | Run the container in the host's network namespace. |
+| master.hostUsers | string | `nil` | Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true. |
 | master.dnsPolicy | string | `"ClusterFirstWithHostNet"` | NFD master pod [dnsPolicy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). |
 | master.config | string | `nil` | NFD master [configuration](https://kubernetes-sigs.github.io/node-feature-discovery/master/reference/master-configuration-reference). |
 | master.port | int | `8080` | Port on which to serve http for metrics and healthz endpoints. |
@@ -246,6 +247,7 @@ NFD.
 | worker.extraArgs | list | `[]` | Additional [command line arguments](https://kubernetes-sigs.github.io/node-feature-discovery/master/reference/worker-commandline-reference) to pass to nfd-worker. |
 | worker.extraEnvs | list | `[]` | Additional environment variables to set in the nfd-worker container. |
 | worker.hostNetwork | bool | `false` | Run the container in the host's network namespace. |
+| worker.hostUsers | string | `nil` | Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true. |
 | worker.dnsPolicy | string | `"ClusterFirstWithHostNet"` | NFD worker pod [dnsPolicy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-policy). |
 | worker.config | string | `nil` | NFD worker [configuration](https://kubernetes-sigs.github.io/node-feature-discovery/master/reference/worker-configuration-reference). |
 | worker.port | int | `8080` | Port on which to serve http for metrics and healthz endpoints. |
@@ -289,6 +291,7 @@ NFD.
 | topologyUpdater.extraArgs | list | `[]` | Additional [command line arguments](https://kubernetes-sigs.github.io/node-feature-discovery/master/reference/topology-updater-commandline-reference) to pass to nfd-topology-updater. |
 | topologyUpdater.extraEnvs | list | `[]` | Additional environment variables to set in the nfd-topology-updater container. |
 | topologyUpdater.hostNetwork | bool | `false` | Run the container in the host's network namespace. |
+| topologyUpdater.hostUsers | string | `nil` | Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true. |
 | topologyUpdater.dnsPolicy | string | `"ClusterFirstWithHostNet"` | NFD topology updater pod [dnsPolicy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-policy). |
 | topologyUpdater.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | topologyUpdater.serviceAccount.annotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations) to add to the service account. |
@@ -332,6 +335,7 @@ NFD.
 | gc.extraArgs | list | `[]` | Additional [command line arguments](https://kubernetes-sigs.github.io/node-feature-discovery/master/reference/gc-commandline-reference) to pass to nfd-gc. |
 | gc.extraEnvs | list | `[]` | Additional environment variables to set in the nfd-gc container. |
 | gc.hostNetwork | bool | `false` | Run the container in the host's network namespace. |
+| gc.hostUsers | string | `nil` | Run the container with host user ids. NOTE: if hostNetwork is true, hostUsers should be true. |
 | gc.replicaCount | int | `1` | The number of desired replicas for the nfd-gc Deployment. |
 | gc.dnsPolicy | string | `"ClusterFirstWithHostNet"` | NFD gc pod [dnsPolicy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-policy). |
 | gc.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
