From 566196c9d0db8a4524cda9f7e72e77c8e87ff973 Mon Sep 17 00:00:00 2001
From: Zhongcheng Lao <Zhongcheng.Lao@microsoft.com>
Date: Mon, 23 Mar 2020 00:06:05 +0800
Subject: [PATCH] Do not run GPU plugin under priviledge mode

---
 deploy/addons/gpu/nvidia-gpu-device-plugin.yaml | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/deploy/addons/gpu/nvidia-gpu-device-plugin.yaml b/deploy/addons/gpu/nvidia-gpu-device-plugin.yaml
index d4ee2ead9cd8..e895e5394aa1 100644
--- a/deploy/addons/gpu/nvidia-gpu-device-plugin.yaml
+++ b/deploy/addons/gpu/nvidia-gpu-device-plugin.yaml
@@ -42,9 +42,6 @@ spec:
       - name: device-plugin
         hostPath:
           path: /var/lib/kubelet/device-plugins
-      - name: dev
-        hostPath:
-          path: /dev
       containers:
       - image: "nvidia/k8s-device-plugin:1.0.0-beta4"
         command: ["/usr/bin/nvidia-device-plugin", "-logtostderr"]
@@ -54,11 +51,11 @@ spec:
             cpu: 50m
             memory: 10Mi
         securityContext:
-          privileged: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
         volumeMounts:
         - name: device-plugin
           mountPath: /var/lib/kubelet/device-plugins
-        - name: dev
-          mountPath: /dev
   updateStrategy:
     type: RollingUpdate