From afb6552527d8303ba7daeed2c544bac3f7aa0b2a Mon Sep 17 00:00:00 2001
From: Tuomas Katila <tuomas.katila@intel.com>
Date: Tue, 15 Apr 2025 10:23:43 +0300
Subject: [PATCH] operator: set pod security admission to privileged

Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
---
 INSTALL.md                                | 11 +++++++++++
 deployments/operator/manager/manager.yaml |  3 +++
 2 files changed, 14 insertions(+)

diff --git a/INSTALL.md b/INSTALL.md
index 4c9bd784f..7c14b7a9c 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -1,5 +1,16 @@
 # Installing device plugins to cluster
 
+## Pod security admission
+
+In Kubernetes clusters where [Pod Security admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) is enabled, device plugins deployed directly from the [deployments](deployments/) will fail to get scheduled to the cluster. Device plugins require access to the underlying host via [hostpaths](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath), and hostpath use is reserved for privileged Pods. If the plugins are deployed from the `deployments` directory, the target namespace will require these labels:
+```
+pod-security.kubernetes.io/enforce: privileged
+pod-security.kubernetes.io/audit: privileged
+pod-security.kubernetes.io/warn: privileged
+```
+
+Since the 0.32.1 release the Device Plugin Operator sets the required admission labels automatically in its deployment. The device plugins deployed via the operator are scheduled to the same namespace as the operator, and do not then need any other configuration.
+
 ## Install device plugins via a DaemonSet
 
 Each plugin can be installed via a DaemonSet. The install changes slightly based on the desired plugin. See install instructions per [plugin](README.md#plugins).
diff --git a/deployments/operator/manager/manager.yaml b/deployments/operator/manager/manager.yaml
index eb8a9a1cb..36745cf27 100644
--- a/deployments/operator/manager/manager.yaml
+++ b/deployments/operator/manager/manager.yaml
@@ -4,6 +4,9 @@ metadata:
   labels:
     control-plane: controller-manager
     manager: intel-deviceplugin-operator
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
   name: system
 ---
 apiVersion: apps/v1