add selinux labels for GPU plugins

2025-06-03 03:59:37 +00:00 · 2022-09-01 11:29:09 -07:00 · 2022-09-01 11:29:09 -07:00 · 22e9d5f882
commit 22e9d5f882
parent 399c1dd232
3 changed files with 10 additions and 0 deletions
--- a/deployments/gpu_plugin/base/intel-gpu-plugin.yaml
+++ b/deployments/gpu_plugin/base/intel-gpu-plugin.yaml
@ -18,6 +18,8 @@ spec:
        image: intel/intel-gpu-initcontainer:devel
        imagePullPolicy: IfNotPresent
        securityContext:
+          seLinuxOptions:
+            type: "container_device_plugin_init_t"
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        volumeMounts:
@ -33,6 +35,8 @@ spec:
        image: intel/intel-gpu-plugin:devel
        imagePullPolicy: IfNotPresent
        securityContext:
+          seLinuxOptions:
+            type: "container_device_plugin_t"
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        volumeMounts:
--- a/pkg/controllers/gpu/controller.go
+++ b/pkg/controllers/gpu/controller.go
@ -196,6 +196,9 @@ func setInitContainer(spec *v1.PodSpec, imageName string) {
 			ImagePullPolicy: "IfNotPresent",
 			Name:            "intel-gpu-initcontainer",
 			SecurityContext: &v1.SecurityContext{
+				SELinuxOptions: &v1.SELinuxOptions{
+					Type: "container_device_plugin_init_t",
+				},
 				ReadOnlyRootFilesystem: &yes,
 			},
 			VolumeMounts: []v1.VolumeMount{
--- a/pkg/controllers/gpu/controller_test.go
+++ b/pkg/controllers/gpu/controller_test.go
@ -79,6 +79,9 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 							Image:           devicePlugin.Spec.Image,
 							ImagePullPolicy: "IfNotPresent",
 							SecurityContext: &v1.SecurityContext{
+								SELinuxOptions: &v1.SELinuxOptions{
+									Type: "container_device_plugin_t",
+								},
 								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
 							},