Let kublet plugin run privileged on OpenShift #76
Conversation
empovit
force-pushed
the
openshift-persmissions
branch
2 times, most recently
from
bdf5dd5 to
7fe8b50
Compare
deployments/helm/k8s-dra-driver/templates/privilegedrolebinging.yaml
Outdated
Show resolved
Hide resolved
deployments/helm/k8s-dra-driver/templates/privilegedrolebinging.yaml
Outdated
Show resolved
Hide resolved
| {{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" -}} | ||
| --- | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: RoleBinding |
There was a problem hiding this comment.
So you need both this new RoleBinding and the normal ClusterRoleBinding on openshift?:
https://github.com/NVIDIA/k8s-dra-driver/blob/main/deployments/helm/k8s-dra-driver/templates/clusterrolebinding.yaml
There was a problem hiding this comment.
I tried to balance between POLP, flexibility, and the intrusiveness of changes here. This solution seems good to me. E.g. the openshift stuff is kept separate and explicit.
I've discarded my previous changes to the ClusterRole.
There was a problem hiding this comment.
My question was more about whether we should have the following in the normal ClusterRoleBinding:
{{- if not .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" -}}
...
{{- end }}
or if you guys actually need both on openshift.
There was a problem hiding this comment.
The ClusterRoleBinding was there already, I believe it's required for the normal functioning of the plugin on any K8s-based platform. The new RoleBinding is where OpenShift differs from the others.
deployments/helm/k8s-dra-driver/templates/privilegedrolebinging.yaml
Outdated
Show resolved
Hide resolved
empovit
force-pushed
the
openshift-persmissions
branch
2 times, most recently
from
58bbcc3 to
4632b53
Compare
On OpenShift, the kublet plugin container won't run without applying the right security settings that let it run privileged. We solve this by binding the privileged security context constraints (SCC) role to the DRA driver's service account. This is done only when the target system has the OpenShift SCC capability in order to minimise the impact on non-OpenShift platforms. Signed-off-by: Vitaliy Emporopulo <[email protected]>
empovit
force-pushed
the
openshift-persmissions
branch
from
4632b53 to
defe73d
Compare
On OpenShift, the kublet plugin container won't run without applying the right
security settings that let it run privileged. We solve this by binding the privileged
security context constraints (SCC) role to the DRA driver's service account.
This is done only when the target system has the OpenShift SCC capability in order
to minimise the impact on non-OpenShift platforms.