Intel GPU Plugin
Kubernetes device plugin that exposes Intel GPU resources to pods.
The Intel GPU Plugin is part of Intel's Device Plugins for Kubernetes. It runs as a DaemonSet and registers Intel integrated and discrete GPU devices (gpu.intel.com/i915 and related resources) with the kubelet device plugin API, making them requestable in pod specs. It is used in this cluster to enable hardware-accelerated transcoding and compute workloads (e.g. Jellyfin) on nodes with Intel iGPUs.
Installation
Architecture
Raw DaemonSet manifest (no HelmRelease, no Helm chart). Image: intel/intel-gpu-plugin:0.35.0 (digest-pinned: sha256:34697f9c28...). Deployed in kube-system namespace. Targets amd64 nodes via nodeSelector. Mounts /dev/dri, /sys/class/drm (read-only), /var/lib/kubelet/device-plugins, and /var/run/cdi. Rolling update strategy with maxUnavailable: 1.
Security
Container securityContext: allowPrivilegeEscalation: false, capabilities: drop: ALL, readOnlyRootFilesystem: true, seccompProfile: RuntimeDefault. The plugin needs host device access (/dev/dri) but drops all capabilities. No cluster-wide RBAC required — device plugins use the kubelet gRPC socket directly.
Updates
Managed by Renovate. Image is digest-pinned (sha256:34697f9c286857da986381595ac2a693524a83c831955247dae47dfda4d2f526).
Administration
Usage
Pods request Intel GPU resources by adding resources.limits: gpu.intel.com/i915: "1" (or the appropriate resource name) to their container spec. The device plugin makes /dev/dri device nodes available inside the container. Media transcoding applications like Jellyfin use this to offload video encode/decode to the Intel iGPU.
Cluster-specific deviations from the above live in the per-cluster README — see k8s/infrastructure/talos/controllers/intel-gpu-plugin/README.md.
Cluster Deployment
Intel GPU Plugin — Talos cluster
Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/platform/intel-gpu-plugin.mdx.
Deviations from defaults
Defaults live in docusaurus/docs/platform/intel-gpu-plugin.mdx — document anything this cluster does differently here, with a one-line reason.
- Image:
intel/intel-gpu-plugin:0.36.0@sha256:2db679be62b52ac985169084ca711cab6e6c59fe543ab2ddee58163d6f8d29e0
Rendered manifests (kustomize build)
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: intel-gpu-plugin
name: intel-gpu-plugin
namespace: kube-system
spec:
selector:
matchLabels:
app: intel-gpu-plugin
template:
metadata:
labels:
app: intel-gpu-plugin
spec:
containers:
- env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
image: intel/intel-gpu-plugin:0.36.0@sha256:2db679be62b52ac985169084ca711cab6e6c59fe543ab2ddee58163d6f8d29e0
imagePullPolicy: IfNotPresent
name: intel-gpu-plugin
resources:
limits:
cpu: 100m
memory: 90Mi
requests:
cpu: 40m
memory: 45Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /dev/dri
name: devfs
readOnly: true
- mountPath: /sys/class/drm
name: sysfsdrm
readOnly: true
- mountPath: /var/lib/kubelet/device-plugins
name: kubeletsockets
- mountPath: /var/run/cdi
name: cdipath
nodeSelector:
kubernetes.io/arch: amd64
volumes:
- hostPath:
path: /dev/dri
name: devfs
- hostPath:
path: /sys/class/drm
name: sysfsdrm
- hostPath:
path: /var/lib/kubelet/device-plugins
name: kubeletsockets
- hostPath:
path: /var/run/cdi
type: DirectoryOrCreate
name: cdipath
updateStrategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate