Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding security context to initContainer #756

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Adding security context to initContainer #756

wants to merge 7 commits into from
+44 −3

Conversation

kndoni
Copy link

@kndoni kndoni commented Jun 3, 2024
edited
Loading

Changes

  1. Adding security context to init container as keyverno policies implies that initContainer should have securityContext defined as well
  2. Adding resources for every container and initContainer on each daemonset.
  3. Adding property devicePluginMps in values that controlles enabling or disabling mps daemonset.

elezar
elezar requested changes Jun 4, 2024
View reviewed changes
Copy link
Member

@elezar elezar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kndoni please also add this to the other daemonsest in the helm package.

deployments/helm/nvidia-device-plugin/templates/daemonset-device-plugin.yml Show resolved Hide resolved
@kndoni
Copy link
Author

kndoni commented Jun 4, 2024

@kndoni please also add this to the other daemonsest in the helm package.

I have added security context for other containers in daemonsets as well

@kndoni kndoni requested a review from elezar June 5, 2024 08:59
elezar
elezar previously approved these changes Jun 5, 2024
View reviewed changes
@elezar elezar dismissed their stale review June 5, 2024 10:19

needs re-review.

elezar
elezar requested changes Jun 5, 2024
View reviewed changes
Copy link
Member

@elezar elezar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that adding a security context if we're already running a container as priveleved makes sense. We also do not have the template used for the mps-control-daemon defined.

deployments/helm/nvidia-device-plugin/templates/daemonset-mps-control-daemon.yml Outdated Show resolved Hide resolved
deployments/helm/nvidia-device-plugin/templates/daemonset-mps-control-daemon.yml Outdated Show resolved Hide resolved
@kndoni kndoni requested a review from elezar June 5, 2024 10:31
@kndoni
Copy link
Author

kndoni commented Jun 6, 2024

@elezar Let me know if something else should be changed as well.
Thanks in advance!

@kndoni kndoni force-pushed the patch-1 branch 2 times, most recently from 6e27784 to a2328f0 Compare June 11, 2024 06:40
@kndoni kndoni mentioned this pull request Jun 11, 2024
Open
@kndoni
Adding security context to initContainer
7929490 
Adding security context to init container as keyverno policies implies that initContainer should have securityContext defined as well

Signed-off-by: Kristi <74095043+kndoni@users.noreply.github.com>
@kndoni
Adding security contexts for all containers in deamonset gdf and mps
5437936 
Signed-off-by: Kristi <74095043+kndoni@users.noreply.github.com>
@kndoni
Removed security context from privileged container
521f122 
Signed-off-by: Kristi <74095043+kndoni@users.noreply.github.com>
@kndoni
Adding securityContexts for all containers and initContainers
213ae30 
Signed-off-by: Kristi <74095043+kndoni@users.noreply.github.com>
@kndoni
Adding capabilities for MIG_MONITOR_DEVICES property
640c8ca 
Signed-off-by: Kristi <74095043+kndoni@users.noreply.github.com>
@kndoni
Adding correct capabilities to container
3373636 
Signed-off-by: Kristi <74095043+kndoni@users.noreply.github.com>
@kndoni
Adding property for specifically enabling or disabling devicePluginMp…
0cfce42 
…s daemonset

Signed-off-by: Kristi <74095043+kndoni@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elezar elezar Awaiting requested review from elezar

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kndoni @elezar