Merge pull request #76 from empovit/openshift-persmissions

Let kublet plugin run privileged on OpenShift
NVIDIA · Feb 29, 2024 · 887262d · 887262d
2 parents 203be1d + defe73d
commit 887262d
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/deployments/helm/k8s-dra-driver/templates/openshiftprivilegedrolebinging.yaml b/deployments/helm/k8s-dra-driver/templates/openshiftprivilegedrolebinging.yaml
@@ -0,0 +1,17 @@
+# Apply only when running on OpenShift to let the kublet plugin run privileged
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "k8s-dra-driver.fullname" . }}-openshift-privileged-role-binding
+  namespace: {{ include "k8s-dra-driver.namespace" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "k8s-dra-driver.serviceAccountName" . }}
+  namespace: {{ include "k8s-dra-driver.namespace" . }}
+roleRef:
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}