-
Notifications
You must be signed in to change notification settings - Fork 51
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Add new RBAC roles & clusterroles for all stages - Add OCP specific artifacts - Updated examples - Fixed some file permissions - Make SCC objects conditional on OCP - Add OSName fields back to state_shared_dp Signed-off-by: Sebastian Jug <[email protected]>
- Loading branch information
Showing
26 changed files
with
374 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
45 changes: 45 additions & 0 deletions
45
example/crs/mellanox.com_v1alpha1_nicclusterpolicy_cr-ocp.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# Copyright 2020 NVIDIA | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
apiVersion: mellanox.com/v1alpha1 | ||
kind: NicClusterPolicy | ||
metadata: | ||
name: nic-cluster-policy | ||
spec: | ||
ofedDriver: | ||
image: mofed | ||
repository: mellanox | ||
version: 5.2-1.0.4.0 | ||
devicePlugin: | ||
image: k8s-rdma-shared-dev-plugin | ||
repository: mellanox | ||
version: v1.1.0 | ||
# The config below directly propagates to k8s-rdma-shared-device-plugin configuration. | ||
# Replace 'devices' with your (RDMA capable) netdevice name. | ||
config: | | ||
{ | ||
"configList": [ | ||
{ | ||
"resourceName": "hca_shared_devices_a", | ||
"rdmaHcaMax": 1000, | ||
"selectors": { | ||
"ifNames": ["ens2f0"] | ||
} | ||
} | ||
] | ||
} | ||
nvPeerDriver: | ||
image: nv-peer-mem-driver | ||
repository: mellanox | ||
version: 1.0-9 | ||
gpuDriverSourcePath: /run/nvidia/driver |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: nv-peer-mem-driver | ||
namespace: {{ .RuntimeSpec.Namespace }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: nv-peer-mem-driver | ||
namespace: {{ .RuntimeSpec.Namespace }} | ||
rules: | ||
- apiGroups: | ||
- security.openshift.io | ||
resources: | ||
- securitycontextconstraints | ||
verbs: | ||
- use | ||
resourceNames: | ||
- privileged |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: nv-peer-mem-driver | ||
namespace: {{ .RuntimeSpec.Namespace }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: nv-peer-mem-driver | ||
namespace: {{ .RuntimeSpec.Namespace }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: nv-peer-mem-driver | ||
namespace: {{ .RuntimeSpec.Namespace }} | ||
userNames: | ||
- system:serviceaccount:{{ .RuntimeSpec.Namespace }}:nv-peer-mem-driver |
49 changes: 49 additions & 0 deletions
49
manifests/stage-nv-peer-mem-driver/0040_scc.openshift.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
{{if eq .RuntimeSpec.OSName "rhcos"}} | ||
# Please edit the object below. Lines beginning with a '#' will be ignored, | ||
# and an empty file will abort the edit. If an error occurs while saving this file will be | ||
# reopened with the relevant failures. | ||
# | ||
allowHostDirVolumePlugin: true | ||
allowHostIPC: false | ||
allowHostNetwork: false | ||
allowHostPID: true | ||
allowHostPorts: false | ||
allowPrivilegeEscalation: true | ||
allowPrivilegedContainer: true | ||
allowedCapabilities: | ||
- '*' | ||
allowedUnsafeSysctls: | ||
- '*' | ||
apiVersion: security.openshift.io/v1 | ||
defaultAddCapabilities: null | ||
fsGroup: | ||
type: RunAsAny | ||
groups: | ||
- system:cluster-admins | ||
- system:nodes | ||
- system:masters | ||
kind: SecurityContextConstraints | ||
metadata: | ||
annotations: | ||
kubernetes.io/description: 'privileged allows access to all privileged and host | ||
features and the ability to run as any user, any group, any fsGroup, and with | ||
any SELinux context. WARNING: this is the most relaxed SCC and should be used | ||
only for cluster administration. Grant with caution.' | ||
|
||
name: nv-peer-mem-driver | ||
priority: null | ||
readOnlyRootFilesystem: false | ||
requiredDropCapabilities: null | ||
runAsUser: | ||
type: RunAsAny | ||
seLinuxContext: | ||
type: RunAsAny | ||
seccompProfiles: | ||
- '*' | ||
supplementalGroups: | ||
type: RunAsAny | ||
users: | ||
- system:serviceaccount:{{ .RuntimeSpec.Namespace }}:nv-peer-mem-driver | ||
volumes: | ||
- '*' | ||
{{end}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: ofed-driver | ||
namespace: {{ .RuntimeSpec.Namespace }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: ofed-driver | ||
namespace: {{ .RuntimeSpec.Namespace }} | ||
rules: | ||
- apiGroups: | ||
- security.openshift.io | ||
resources: | ||
- securitycontextconstraints | ||
verbs: | ||
- use | ||
resourceNames: | ||
- privileged |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: ofed-driver | ||
namespace: {{ .RuntimeSpec.Namespace }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: ofed-driver | ||
namespace: {{ .RuntimeSpec.Namespace }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: ofed-driver | ||
namespace: {{ .RuntimeSpec.Namespace }} | ||
userNames: | ||
- system:serviceaccount:{{ .RuntimeSpec.Namespace }}:ofed-driver |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
{{if eq .RuntimeSpec.OSName "rhcos"}} | ||
# Please edit the object below. Lines beginning with a '#' will be ignored, | ||
# and an empty file will abort the edit. If an error occurs while saving this file will be | ||
# reopened with the relevant failures. | ||
# | ||
allowHostDirVolumePlugin: true | ||
allowHostIPC: false | ||
allowHostNetwork: false | ||
allowHostPID: true | ||
allowHostPorts: false | ||
allowPrivilegeEscalation: true | ||
allowPrivilegedContainer: true | ||
allowedCapabilities: | ||
- '*' | ||
allowedUnsafeSysctls: | ||
- '*' | ||
apiVersion: security.openshift.io/v1 | ||
defaultAddCapabilities: null | ||
fsGroup: | ||
type: RunAsAny | ||
groups: | ||
- system:cluster-admins | ||
- system:nodes | ||
- system:masters | ||
kind: SecurityContextConstraints | ||
metadata: | ||
annotations: | ||
kubernetes.io/description: 'privileged allows access to all privileged and host | ||
features and the ability to run as any user, any group, any fsGroup, and with | ||
any SELinux context. WARNING: this is the most relaxed SCC and should be used | ||
only for cluster administration. Grant with caution.' | ||
|
||
name: ofed-driver | ||
priority: null | ||
readOnlyRootFilesystem: false | ||
requiredDropCapabilities: null | ||
runAsUser: | ||
type: RunAsAny | ||
seLinuxContext: | ||
type: RunAsAny | ||
seccompProfiles: | ||
- '*' | ||
supplementalGroups: | ||
type: RunAsAny | ||
users: | ||
- system:serviceaccount:{{ .RuntimeSpec.Namespace }}:ofed-driver | ||
volumes: | ||
- '*' | ||
{{end}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: rdma-shared | ||
namespace: {{ .RuntimeSpec.Namespace }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: rdma-shared | ||
namespace: {{ .RuntimeSpec.Namespace }} | ||
rules: | ||
- apiGroups: | ||
- security.openshift.io | ||
resources: | ||
- securitycontextconstraints | ||
verbs: | ||
- use | ||
resourceNames: | ||
- privileged |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: rdma-shared | ||
namespace: {{ .RuntimeSpec.Namespace }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: rdma-shared | ||
namespace: {{ .RuntimeSpec.Namespace }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: rdma-shared | ||
namespace: {{ .RuntimeSpec.Namespace }} | ||
userNames: | ||
- system:serviceaccount:{{ .RuntimeSpec.Namespace }}:rdma-shared |
Oops, something went wrong.