Adding support for hostpath on NIMService (#699)

visheshtanksale · web-flow · commit d0dca131e9fa · 2025-11-13T16:47:54.000-08:00
* Adding support for hostpath on NIMService

Signed-off-by: Vishesh Tanksale &lt;vtanksale@nvidia.com&gt;

* Adding OCP security context

Signed-off-by: Vishesh Tanksale &lt;vtanksale@nvidia.com&gt;

---------

Signed-off-by: Vishesh Tanksale &lt;vtanksale@nvidia.com&gt;
diff --git a/api/apps/v1alpha1/nimservice_types.go b/api/apps/v1alpha1/nimservice_types.go
@@ -499,6 +499,8 @@ func (n *NIMService) GetStandardAnnotations() map[string]string {
 	}
 	if n.GetProxyCertConfigMap() != "" {
 		standardAnnotations["openshift.io/required-scc"] = "anyuid"
+	} else if n.GetHostPath() != "" {
+		standardAnnotations["openshift.io/required-scc"] = "hostmount-anyuid"
 	}
 	return standardAnnotations
 }
@@ -709,7 +711,8 @@ func (n *NIMService) GetVolumes(modelPVC *PersistentVolumeClaim) []corev1.Volume
 			},
 		},
 	}
-	if modelPVC != nil {
+	switch {
+	case modelPVC != nil:
 		volumes = append(volumes, corev1.Volume{
 			Name: "model-store",
 			VolumeSource: corev1.VolumeSource{
@@ -719,7 +722,7 @@ func (n *NIMService) GetVolumes(modelPVC *PersistentVolumeClaim) []corev1.Volume
 				},
 			},
 		})
-	} else if n.Spec.Storage.EmptyDir != nil {
+	case n.Spec.Storage.EmptyDir != nil:
 		volumes = append(volumes, corev1.Volume{
 			Name: "model-store",
 			VolumeSource: corev1.VolumeSource{
@@ -728,6 +731,17 @@ func (n *NIMService) GetVolumes(modelPVC *PersistentVolumeClaim) []corev1.Volume
 				},
 			},
 		})
+	case n.GetHostPath() != "":
+		hostPathType := corev1.HostPathDirectoryOrCreate
+		volumes = append(volumes, corev1.Volume{
+			Name: "model-store",
+			VolumeSource: corev1.VolumeSource{
+				HostPath: &corev1.HostPathVolumeSource{
+					Path: *n.Spec.Storage.HostPath,
+					Type: &hostPathType,
+				},
+			},
+		})
 	}
 
 	if n.GetProxyCertConfigMap() != "" {
@@ -1417,7 +1431,8 @@ func (n *NIMService) GetRoleParams() *rendertypes.RoleParams {
 	params.Namespace = n.GetNamespace()
 
 	// Set rules to use SCC
-	if n.GetProxySpec() != nil {
+	switch {
+	case n.GetProxySpec() != nil:
 		params.Rules = []rbacv1.PolicyRule{
 			{
 				APIGroups:     []string{"security.openshift.io"},
@@ -1426,7 +1441,16 @@ func (n *NIMService) GetRoleParams() *rendertypes.RoleParams {
 				Verbs:         []string{"use"},
 			},
 		}
-	} else {
+	case n.GetHostPath() != "":
+		params.Rules = []rbacv1.PolicyRule{
+			{
+				APIGroups:     []string{"security.openshift.io"},
+				Resources:     []string{"securitycontextconstraints"},
+				ResourceNames: []string{"hostmount-anyuid"},
+				Verbs:         []string{"use"},
+			},
+		}
+	default:
 		params.Rules = []rbacv1.PolicyRule{
 			{
 				APIGroups:     []string{"security.openshift.io"},
@@ -1591,6 +1615,14 @@ func (n *NIMService) GetProxyCertConfigMap() string {
 	return ""
 }
 
+// GetHostPath returns the host path for the NIMService deployment.
+func (n *NIMService) GetHostPath() string {
+	if n.Spec.Storage.HostPath != nil && *n.Spec.Storage.HostPath != "" {
+		return *n.Spec.Storage.HostPath
+	}
+	return ""
+}
+
 // GetInferenceServiceParams returns params to render InferenceService from templates.
 func (n *NIMService) GetInferenceServiceParams(
 	deploymentMode kserveconstants.DeploymentModeType) *rendertypes.InferenceServiceParams {
diff --git a/internal/controller/platform/kserve/nimservice.go b/internal/controller/platform/kserve/nimservice.go
@@ -342,9 +342,11 @@ func (r *NIMServiceReconciler) renderAndSyncCache(ctx context.Context,
 		modelPVC = &nimService.Spec.Storage.PVC
 	} else if nimService.Spec.Storage.EmptyDir != nil {
 		modelPVC = nil
+	} else if nimService.Spec.Storage.HostPath != nil && *nimService.Spec.Storage.HostPath != "" {
+		modelPVC = nil
 	} else {
-		err := fmt.Errorf("neither external PVC name or NIMCache volume is provided")
-		logger.Error(err, "failed to determine PVC for model-store")
+		err := fmt.Errorf("neither external PVC name, NIMCache volume, empty dir or local host path should be provided")
+		logger.Error(err, "failed to determine PVC , NIMCache volume, empty dir or local host path for model-store")
 		return nil, "", nil, err
 	}
 
diff --git a/internal/controller/platform/standalone/nimservice.go b/internal/controller/platform/standalone/nimservice.go
@@ -372,9 +372,11 @@ func (r *NIMServiceReconciler) reconcileNIMService(ctx context.Context, nimServi
 		modelPVC = &nimService.Spec.Storage.PVC
 	} else if nimService.Spec.Storage.EmptyDir != nil {
 		modelPVC = nil
+	} else if nimService.Spec.Storage.HostPath != nil && *nimService.Spec.Storage.HostPath != "" {
+		modelPVC = nil
 	} else {
-		err = fmt.Errorf("neither external PVC name, NIMCache volume or empty dir is provided")
-		logger.Error(err, "failed to determine PVC , NIMCache volume or empty dir for model-store")
+		err = fmt.Errorf("neither external PVC name, NIMCache volume, empty dir or local host path should be provided")
+		logger.Error(err, "failed to determine PVC , NIMCache volume, empty dir or local host path for model-store")
 		return ctrl.Result{}, err
 	}
 
