feat(snapshot): add --runtime-class flag for CDI environments

[atif1996]

Summary

• Add --runtime-class flag to aicr snapshot that sets runtimeClassName on the agent pod and injects NVIDIA_VISIBLE_DEVICES=all, giving the agent nvidia-smi access without consuming a GPU allocation
• Mutually exclusive with --require-gpu — clear error recommends --runtime-class as the preferred approach for CDI environments where all GPUs are allocated
• Pre-flight check validates the RuntimeClass exists before creating any resources, failing fast with a clear message on clusters without GPU Operator

Usage

aicr snapshot \
  --runtime-class nvidia \
  --node-selector nvidia.com/gpu.present=true \
  --output snapshot.yaml

Test plan

• --require-gpu + --runtime-class rejected with clear error
• --runtime-class nonexistent fails fast with RuntimeClass not found error
• --runtime-class nvidia --node-selector nvidia.com/gpu.present=true captures snapshot with 8 GPUs detected
• --node-selector alone still works (gpu-count=0 on CDI cluster without runtime class, as expected)
• Table-driven unit tests for buildPodSpec, buildEnvVars, and combined runtime+node-selector
• All affected package tests pass with -race

Closes #433

[github-actions]

Welcome to AICR, @atif1996! Thanks for your first pull request.

Before review, please ensure:

• All commits are signed off per the DCO
• CI checks pass (tests, lint, security scan)
• The PR description explains the why behind your changes

A maintainer will review this soon.

[github-actions]

Coverage Report ✅

Metric	Value
Coverage	73.6%
Threshold	70%
Status	Pass

Coverage Badge

![Coverage](https://img.shields.io/badge/coverage-73.6%25-green)

Merging this branch changes the coverage (1 decrease, 1 increase)

Impacted Packages	Coverage Δ	🤖
github.com/NVIDIA/aicr/pkg/cli	27.27% (-0.10%)	👎
github.com/NVIDIA/aicr/pkg/k8s/agent	77.48% (+1.46%)	👍
github.com/NVIDIA/aicr/pkg/snapshotter	50.45% (ø)

---

Coverage by file

Changed files (no unit tests)

Changed File	Coverage Δ	Total	Covered	Missed	🤖
github.com/NVIDIA/aicr/pkg/cli/snapshot.go	5.00% (-0.26%)	40 (+2)	2	38 (+2)	👎
github.com/NVIDIA/aicr/pkg/k8s/agent/deployer.go	72.13% (+4.78%)	61 (+12)	44 (+11)	17 (+1)	👍
github.com/NVIDIA/aicr/pkg/k8s/agent/job.go	87.69% (+2.45%)	65 (+4)	57 (+5)	8 (-1)	👍
github.com/NVIDIA/aicr/pkg/k8s/agent/types.go	100.00% (ø)	1	1	0
github.com/NVIDIA/aicr/pkg/snapshotter/agent.go	38.00% (ø)	150	57	93

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

[mchmarny]

Generally speaking it looks good. Looks like there are linting errors though, did make qualify pass locally?

Also, can we add some tests as to not decrease the test coverage?

[yuanchen8911]

LGTM. Clean implementation — good mutual exclusion, pre-flight validation, and test coverage.

A few observations (non-blocking):

1. NVIDIA_VISIBLE_DEVICES=all may conflict with CDI injection. On clusters where GPU Operator uses CDI mode (CDI-enabled ClusterPolicy), the runtime injects NVIDIA_VISIBLE_DEVICES via the CDI spec. Setting it explicitly in the env may override or conflict depending on the container runtime version. Worth a comment noting this is intentional for the non-CDI-allocation path (runtimeClass without resource request).

2. Timeout reuse. validateRuntimeClass uses defaults.K8sJobCreationTimeout for a single GET call. This works but is semantically mismatched — consider defaults.K8sAPICallTimeout or similar if one exists, or just inline a short timeout (5s).

3. Nit: The TestAgentConfigWithRuntimeClassName test only checks struct field defaults — it doesn't exercise any behavior. The job_test.go tests already cover the real logic well, so this test adds limited value.

[yuanchen8911]

Medium finding: validateRuntimeClass() correctly returns ErrCodeNotFound when the RuntimeClass is missing (deployer.go:165), but the caller at agent.go:135 wraps all deploy errors as ErrCodeInternal:

return nil, errors.Wrap(errors.ErrCodeInternal, "failed to deploy agent", deployErr)

This loses the NOT_FOUND signal for callers/automation. Consider returning deployErr directly to preserve the original error code.

[atif1996]

Generally speaking it looks good. Looks like there are linting errors though, did make qualify pass locally?

Also, can we add some tests as to not decrease the test coverage?

Just fixed the lint issues. Taking a look at coverage

LGTM. Clean implementation — good mutual exclusion, pre-flight validation, and test coverage.

A few observations (non-blocking):

1. NVIDIA_VISIBLE_DEVICES=all may conflict with CDI injection. On clusters where GPU Operator uses CDI mode (CDI-enabled ClusterPolicy), the runtime injects NVIDIA_VISIBLE_DEVICES via the CDI spec. Setting it explicitly in the env may override or conflict depending on the container runtime version. Worth a comment noting this is intentional for the non-CDI-allocation path (runtimeClass without resource request).
2. Timeout reuse. validateRuntimeClass uses defaults.K8sJobCreationTimeout for a single GET call. This works but is semantically mismatched — consider defaults.K8sAPICallTimeout or similar if one exists, or just inline a short timeout (5s).
3. Nit: The TestAgentConfigWithRuntimeClassName test only checks struct field defaults — it doesn't exercise any behavior. The job_test.go tests already cover the real logic well, so this test adds limited value.

Removed TestAgentConfigWithRuntimeClassName and other feedback. Ready to re-review

[atif1996]

Generally speaking it looks good. Looks like there are linting errors though, did make qualify pass locally?

Also, can we add some tests as to not decrease the test coverage?

Corrected. Should be ready to re-review.