k8s-device-plugin icon indicating copy to clipboard operation
k8s-device-plugin copied to clipboard
verified publisher icon NVIDIA

Daemonset container and initContainer can run only in privleged mode for daemonset-mps-control-daemon

Open kndoni opened this issue 1 year ago • 2 comments

Notes

Dear team.

I noticed following issue on daemonset-mps-control-daemon.yml. There is one container and initContainer that can run only in privileged mode true. But in security context when implementing security policies like for example with kyverno, privileged should be set to false by default and capabilities might be added.

Can you please take this issue in consideration. I have created one PR but I don't think the PR will solve this issue completely in mps daemonset

https://github.com/NVIDIA/k8s-device-plugin/pull/756

kndoni avatar Jun 11 '24 14:06 kndoni

This issue appears only in mps daemonset, in device-plugin and gdf daemonset I have tested locally and changes in PR are working fine.

Only issue is in mps daemonset that container is running in privileged mode

kndoni avatar Jun 11 '24 14:06 kndoni

I added in the PR a value called devicePluginMps so we can controll weather we want MPS to be enabled or not

kndoni avatar Jun 12 '24 08:06 kndoni

This issue is stale because it has been open 90 days with no activity. This issue will be closed in 30 days unless new comments are made or the stale label is removed.

github-actions[bot] avatar Sep 11 '24 04:09 github-actions[bot]

This issue was automatically closed due to inactivity.

github-actions[bot] avatar Oct 12 '24 04:10 github-actions[bot]