issue 8185: allow to disable node-agent host path (#9068)

Signed-off-by: Lyndon-Li <lyonghui@vmware.com>

changelogs/unreleased/9068-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #8185, allow users to disable pod volume host path mount for node-agent

pkg/cmd/cli/install/install.go

@@ -89,6 +89,7 @@ type Options struct {
 	RepoMaintenanceJobConfigMap     string
 	NodeAgentConfigMap              string
 	ItemBlockWorkerCount            int
+	NodeAgentDisableHostPath        bool
 }
 
 // BindFlags adds command line values to the options struct.
@@ -134,6 +135,7 @@ func (o *Options) BindFlags(flags *pflag.FlagSet) {
 	flags.BoolVar(&o.DefaultSnapshotMoveData, "default-snapshot-move-data", o.DefaultSnapshotMoveData, "Bool flag to configure Velero server to move data by default for all snapshots supporting data movement. Optional.")
 	flags.BoolVar(&o.DisableInformerCache, "disable-informer-cache", o.DisableInformerCache, "Disable informer cache for Get calls on restore. With this enabled, it will speed up restore in cases where there are backup resources which already exist in the cluster, but for very large clusters this will increase velero memory usage. Default is false (don't disable). Optional.")
 	flags.BoolVar(&o.ScheduleSkipImmediately, "schedule-skip-immediately", o.ScheduleSkipImmediately, "Skip the first scheduled backup immediately after creating a schedule. Default is false (don't skip).")
+	flags.BoolVar(&o.NodeAgentDisableHostPath, "node-agent-disable-host-path", o.NodeAgentDisableHostPath, "Don't mount the pod volume host path to node-agent. Optional. Pod volume host path mount is required by fs-backup but could be disabled for other backup methods.")
 
 	flags.IntVar(
 		&o.KeepLatestMaintenanceJobs,
@@ -218,6 +220,7 @@ func NewInstallOptions() *Options {
 		DefaultSnapshotMoveData:  false,
 		DisableInformerCache:     false,
 		ScheduleSkipImmediately:  false,
+		NodeAgentDisableHostPath: false,
 	}
 }
 
@@ -292,6 +295,7 @@ func (o *Options) AsVeleroOptions() (*install.VeleroOptions, error) {
 		RepoMaintenanceJobConfigMap:     o.RepoMaintenanceJobConfigMap,
 		NodeAgentConfigMap:              o.NodeAgentConfigMap,
 		ItemBlockWorkerCount:            o.ItemBlockWorkerCount,
+		NodeAgentDisableHostPath:        o.NodeAgentDisableHostPath,
 	}, nil
 }
 

pkg/install/daemonset.go

@@ -63,6 +63,54 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1api.DaemonSet
 		dsName = "node-agent-windows"
 	}
 
+	volumes := []corev1api.Volume{}
+	volumeMounts := []corev1api.VolumeMount{}
+	if !c.nodeAgentDisableHostPath {
+		volumes = append(volumes, []corev1api.Volume{
+			{
+				Name: "host-pods",
+				VolumeSource: corev1api.VolumeSource{
+					HostPath: &corev1api.HostPathVolumeSource{
+						Path: "/var/lib/kubelet/pods",
+					},
+				},
+			},
+			{
+				Name: "host-plugins",
+				VolumeSource: corev1api.VolumeSource{
+					HostPath: &corev1api.HostPathVolumeSource{
+						Path: "/var/lib/kubelet/plugins",
+					},
+				},
+			},
+		}...)
+
+		volumeMounts = append(volumeMounts, []corev1api.VolumeMount{
+			{
+				Name:             nodeagent.HostPodVolumeMount,
+				MountPath:        nodeagent.HostPodVolumeMountPath(),
+				MountPropagation: &mountPropagationMode,
+			},
+			{
+				Name:             "host-plugins",
+				MountPath:        "/var/lib/kubelet/plugins",
+				MountPropagation: &mountPropagationMode,
+			},
+		}...)
+	}
+
+	volumes = append(volumes, corev1api.Volume{
+		Name: "scratch",
+		VolumeSource: corev1api.VolumeSource{
+			EmptyDir: new(corev1api.EmptyDirVolumeSource),
+		},
+	})
+
+	volumeMounts = append(volumeMounts, corev1api.VolumeMount{
+		Name:      "scratch",
+		MountPath: "/scratch",
+	})
+
 	daemonSet := &appsv1api.DaemonSet{
 		ObjectMeta: objectMeta(namespace, dsName),
 		TypeMeta: metav1.TypeMeta{
@@ -88,30 +136,7 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1api.DaemonSet
 					SecurityContext: &corev1api.PodSecurityContext{
 						RunAsUser: &userID,
 					},
-					Volumes: []corev1api.Volume{
-						{
-							Name: "host-pods",
-							VolumeSource: corev1api.VolumeSource{
-								HostPath: &corev1api.HostPathVolumeSource{
-									Path: "/var/lib/kubelet/pods",
-								},
-							},
-						},
-						{
-							Name: "host-plugins",
-							VolumeSource: corev1api.VolumeSource{
-								HostPath: &corev1api.HostPathVolumeSource{
-									Path: "/var/lib/kubelet/plugins",
-								},
-							},
-						},
-						{
-							Name: "scratch",
-							VolumeSource: corev1api.VolumeSource{
-								EmptyDir: new(corev1api.EmptyDirVolumeSource),
-							},
-						},
-					},
+					Volumes: volumes,
 					Containers: []corev1api.Container{
 						{
 							Name:            dsName,
@@ -125,22 +150,7 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1api.DaemonSet
 							SecurityContext: &corev1api.SecurityContext{
 								Privileged: &c.privilegedNodeAgent,
 							},
-							VolumeMounts: []corev1api.VolumeMount{
-								{
-									Name:             nodeagent.HostPodVolumeMount,
-									MountPath:        nodeagent.HostPodVolumeMountPath(),
-									MountPropagation: &mountPropagationMode,
-								},
-								{
-									Name:             "host-plugins",
-									MountPath:        "/var/lib/kubelet/plugins",
-									MountPropagation: &mountPropagationMode,
-								},
-								{
-									Name:      "scratch",
-									MountPath: "/scratch",
-								},
-							},
+							VolumeMounts: volumeMounts,
 							Env: []corev1api.EnvVar{
 								{
 									Name: "NODE_NAME",

pkg/install/daemonset_test.go

@@ -38,6 +38,8 @@ func TestDaemonSet(t *testing.T) {
 	assert.Equal(t, "linux", string(ds.Spec.Template.Spec.OS.Name))
 	assert.Equal(t, corev1api.PodSecurityContext{RunAsUser: &userID}, *ds.Spec.Template.Spec.SecurityContext)
 	assert.Equal(t, corev1api.SecurityContext{Privileged: &boolFalse}, *ds.Spec.Template.Spec.Containers[0].SecurityContext)
+	assert.Len(t, ds.Spec.Template.Spec.Volumes, 3)
+	assert.Len(t, ds.Spec.Template.Spec.Containers[0].VolumeMounts, 3)
 
 	ds = DaemonSet("velero", WithPrivilegedNodeAgent(true))
 	assert.Equal(t, corev1api.SecurityContext{Privileged: &boolTrue}, *ds.Spec.Template.Spec.Containers[0].SecurityContext)
@@ -61,6 +63,10 @@ func TestDaemonSet(t *testing.T) {
 	ds = DaemonSet("velero", WithServiceAccountName("test-sa"))
 	assert.Equal(t, "test-sa", ds.Spec.Template.Spec.ServiceAccountName)
 
+	ds = DaemonSet("velero", WithNodeAgentDisableHostPath(true))
+	assert.Len(t, ds.Spec.Template.Spec.Volumes, 1)
+	assert.Len(t, ds.Spec.Template.Spec.Containers[0].VolumeMounts, 1)
+
 	ds = DaemonSet("velero", WithForWindows())
 	assert.Equal(t, "node-agent-windows", ds.Spec.Template.Spec.Containers[0].Name)
 	assert.Equal(t, "velero", ds.ObjectMeta.Namespace)

pkg/install/deployment.go

@@ -59,6 +59,7 @@ type podTemplateConfig struct {
 	nodeAgentConfigMap              string
 	itemBlockWorkerCount            int
 	forWindows                      bool
+	nodeAgentDisableHostPath        bool
 }
 
 func WithImage(image string) podTemplateOption {
@@ -226,6 +227,12 @@ func WithForWindows() podTemplateOption {
 	}
 }
 
+func WithNodeAgentDisableHostPath(disable bool) podTemplateOption {
+	return func(c *podTemplateConfig) {
+		c.nodeAgentDisableHostPath = disable
+	}
+}
+
 func Deployment(namespace string, opts ...podTemplateOption) *appsv1api.Deployment {
 	// TODO: Add support for server args
 	c := &podTemplateConfig{

pkg/install/resources.go

@@ -269,6 +269,7 @@ type VeleroOptions struct {
 	RepoMaintenanceJobConfigMap     string
 	NodeAgentConfigMap              string
 	ItemBlockWorkerCount            int
+	NodeAgentDisableHostPath        bool
 }
 
 func AllCRDs() *unstructured.UnstructuredList {
@@ -404,6 +405,7 @@ func AllResources(o *VeleroOptions) *unstructured.UnstructuredList {
 			WithResources(o.NodeAgentPodResources),
 			WithSecret(secretPresent),
 			WithServiceAccountName(serviceAccountName),
+			WithNodeAgentDisableHostPath(o.NodeAgentDisableHostPath),
 		}
 		if len(o.Features) > 0 {
 			dsOpts = append(dsOpts, WithFeatures(o.Features))