From fceb0e632e4a655f207781bfbe670f9847ab0265 Mon Sep 17 00:00:00 2001 From: jimmychiuuuu Date: Fri, 29 May 2026 02:53:16 +0000 Subject: [PATCH] Increase DeviceLimit for TDX and SEV-SNP to 256 and update test --- deviceplugin/ccdevice_test.go | 63 ++++++++++++++++------------------- main.go | 8 +++-- 2 files changed, 33 insertions(+), 38 deletions(-) diff --git a/deviceplugin/ccdevice_test.go b/deviceplugin/ccdevice_test.go index d08e4b8..d652252 100644 --- a/deviceplugin/ccdevice_test.go +++ b/deviceplugin/ccdevice_test.go @@ -116,7 +116,7 @@ func TestDiscoverTDX(t *testing.T) { Resource: "intel.com/tdx", Type: HardwareAttestation, DevicePaths: []string{"dev/tdx-guest"}, - DeviceLimit: 1, + DeviceLimit: 256, } cdp := constructTestPlugin(t, spec) devices, err := cdp.discoverCcDevices() @@ -124,8 +124,8 @@ func TestDiscoverTDX(t *testing.T) { t.Fatalf("discoverCcDevices failed: %v", err) } - if len(devices) != 1 { - t.Fatalf("Expected 1 device, got %d", len(devices)) + if len(devices) != 256 { + t.Fatalf("Expected 256 devices, got %d", len(devices)) } // Hardware-based should NOT have mounts if len(devices[0].Mounts) != 0 { @@ -138,7 +138,7 @@ func TestDiscoverSEVSNP(t *testing.T) { Resource: "amd.com/sev-snp", Type: HardwareAttestation, DevicePaths: []string{"dev/sev-guest"}, - DeviceLimit: 1, + DeviceLimit: 256, } cdp := constructTestPlugin(t, spec) devices, err := cdp.discoverCcDevices() @@ -146,8 +146,8 @@ func TestDiscoverSEVSNP(t *testing.T) { t.Fatalf("discoverCcDevices failed: %v", err) } - if len(devices) != 1 { - t.Fatalf("Expected 1 device, got %d", len(devices)) + if len(devices) != 256 { + t.Fatalf("Expected 256 devices, got %d", len(devices)) } if len(devices[0].Mounts) != 0 { t.Errorf("SEV-SNP should have 0 mounts, got %d", len(devices[0].Mounts)) @@ -188,10 +188,9 @@ func TestRefreshDevices(t *testing.T) { Resource: "intel.com/tdx", Type: HardwareAttestation, DevicePaths: []string{"dev/tdx-guest"}, - DeviceLimit: 1, + DeviceLimit: 256, } cdp := constructTestPlugin(t, spec) - devPath := spec.DevicePaths[0] // 1. Initial Refresh changed, err := cdp.refreshDevices() @@ -199,14 +198,10 @@ func TestRefreshDevices(t *testing.T) { t.Errorf("First refresh: err=%v, changed=%v (want false)", err, changed) } - // 2. Second Refresh (No change) - changed, err = cdp.refreshDevices() - if err != nil || !changed { - t.Errorf("Second refresh: err=%v, changed=%v (want true)", err, changed) + // 2. Remove all devices and refresh + for _, path := range spec.DevicePaths { + os.Remove(path) } - - // 3. Remove device and refresh - os.Remove(devPath) changed, err = cdp.refreshDevices() if err != nil || changed { t.Errorf("Third refresh (removed): err=%v, changed=%v (want false)", err, changed) @@ -217,12 +212,13 @@ func TestRefreshDevices(t *testing.T) { } func TestAllocate(t *testing.T) { + limit := 2 spec := &CcDeviceSpec{ Resource: "google.com/cc", Type: SoftwareAttestation, DevicePaths: []string{"dev/tpmrm0"}, MeasurementPaths: []string{"sys/binary_bios_measurements"}, - DeviceLimit: 2, + DeviceLimit: limit, } cdp := constructTestPlugin(t, spec) if _, err := cdp.refreshDevices(); err != nil { @@ -230,26 +226,23 @@ func TestAllocate(t *testing.T) { } ctx := context.Background() - expectedID := getExpectedID(spec.Resource, spec.DeviceLimit, 0) - - req := &v1beta1.AllocateRequest{ - ContainerRequests: []*v1beta1.ContainerAllocateRequest{{ - DevicesIDs: []string{expectedID}, - }}, - } - - resp, err := cdp.Allocate(ctx, req) - if err != nil { - t.Fatalf("Allocate failed: %v", err) - } + // Test allocation for index 0 and 1 + for i := 0; i < limit; i++ { + expectedID := getExpectedID(spec.Resource, limit, i) + req := &v1beta1.AllocateRequest{ + ContainerRequests: []*v1beta1.ContainerAllocateRequest{{ + DevicesIDs: []string{expectedID}, + }}, + } - if len(resp.ContainerResponses) != 1 { - t.Fatalf("Expected 1 response, got %d", len(resp.ContainerResponses)) - } + resp, err := cdp.Allocate(ctx, req) + if err != nil { + t.Fatalf("Allocate failed for ID %s: %v", expectedID, err) + } - // Verify the response contains the mount for software attestation - if len(resp.ContainerResponses[0].Mounts) == 0 { - t.Errorf("Expected mount in AllocateResponse for software attestation") + if len(resp.ContainerResponses) != 1 { + t.Fatalf("Expected 1 response, got %d", len(resp.ContainerResponses)) + } } } @@ -292,7 +285,7 @@ func TestListAndWatch(t *testing.T) { Resource: "intel.com/tdx", Type: HardwareAttestation, DevicePaths: []string{"dev/tdx-guest"}, - DeviceLimit: 1, + DeviceLimit: 256, } cdp := constructTestPlugin(t, spec) stream := listAndWatchServerStub{} diff --git a/main.go b/main.go index fc04a29..00f2fef 100644 --- a/main.go +++ b/main.go @@ -45,6 +45,8 @@ const ( logLevelWarn = "warn" logLevelError = "error" logLevelNone = "none" + // By default, GKE allows up to 110 Pods per node on Standard clusters. Standard clusters can be configured to allow up to 256 Pods per node. + workloadSharedLimit = 256 ) var ( @@ -68,7 +70,7 @@ func Main() error { Type: deviceplugin.SoftwareAttestation, // Explicitly marked as software DevicePaths: []string{"/dev/tpmrm0"}, MeasurementPaths: []string{"/sys/kernel/security/tpm0/binary_bios_measurements"}, - DeviceLimit: 256, // Allow multiple pods to share the vTPM + DeviceLimit: workloadSharedLimit, }, { // Intel TDX @@ -77,7 +79,7 @@ func Main() error { DevicePaths: []string{"/dev/tdx-guest", "/dev/tdx_guest"}, // Some kernels use different names // TDX does not have a separate measurement file, attestation is done via ioctl. MeasurementPaths: []string{}, - DeviceLimit: 1, // Only one container can use the TDX device at a time per node + DeviceLimit: workloadSharedLimit, }, { // AMD SEV-SNP @@ -86,7 +88,7 @@ func Main() error { DevicePaths: []string{"/dev/sev-guest"}, // SEV-SNP also uses ioctl for attestation. MeasurementPaths: []string{}, - DeviceLimit: 1, // Only one container can use the SEV-SNP device at a time per node + DeviceLimit: workloadSharedLimit, }, }