Rename namespace in demo script launching driver #275
Conversation
Signed-off-by: Kevin Klues <[email protected]>
|
/ok to test |
| @@ -24,7 +24,7 @@ source "${CURRENT_DIR}/scripts/common.sh" | |||
|
|
|||
| kubectl label node -l node-role.x-k8s.io/worker --overwrite nvidia.com/gpu.present=true | |||
|
|
|||
| helm upgrade -i --create-namespace --namespace nvidia nvidia-dra-driver-gpu ${PROJECT_DIR}/deployments/helm/nvidia-dra-driver-gpu \ | |||
| helm upgrade -i --create-namespace --namespace nvidia-dra-driver-gpu nvidia-dra-driver-gpu ${PROJECT_DIR}/deployments/helm/nvidia-dra-driver-gpu \ | |||
There was a problem hiding this comment.
@klueska this isn't a blocker, but why don't we want to use the nvidia namespace here? Is it commonplace to have the deployment and the namespace be the same?
There was a problem hiding this comment.
Kevin will provide his reasons for the change.
But I can imagine that it is actually very important to do that from a security point of view:
We start privileged containers and hence want to make sure we run this in a unique namespace, not shared with anything else.
The reason would be to help our users to adopt the principle of least privilege.
The nvidia namespace might maybe be used by other things, and a wider range of users/service accounts might therefore have access to it.
Maybe I am wrong here. But this topic strongly relates to one major TODO item: we need to have a clear stance and simple documentation for a secure deployment of this component (doing great in terms of secure-deployment-documentation is the major outcome of our TAVA process, too).
There was a problem hiding this comment.
Yeah, it' mostly about keeping things namespaces specifically to this component for the demo scripts. In practice, we should recommend people to deploy this in the gpu-operator namespace since the eventual plan is to include it as one of its operands.
This ensures that the pods for the DRA driver demo are more easily identifiable as opposed to other components.