From a888a91d2a201506b27e4f5def77c6058dd67110 Mon Sep 17 00:00:00 2001 From: Manish Regmi Date: Wed, 1 Jun 2022 10:13:11 -0700 Subject: [PATCH] add selinux labels for QAT Signed-off-by: Manish Regmi --- deployments/qat_plugin/base/intel-qat-plugin.yaml | 2 ++ pkg/controllers/qat/controller.go | 3 +++ pkg/controllers/qat/controller_test.go | 3 +++ 3 files changed, 8 insertions(+) diff --git a/deployments/qat_plugin/base/intel-qat-plugin.yaml b/deployments/qat_plugin/base/intel-qat-plugin.yaml index e46214d1..6728149f 100644 --- a/deployments/qat_plugin/base/intel-qat-plugin.yaml +++ b/deployments/qat_plugin/base/intel-qat-plugin.yaml @@ -17,6 +17,8 @@ spec: - name: intel-qat-plugin image: intel/intel-qat-plugin:devel securityContext: + seLinuxOptions: + type: "container_device_plugin_t" readOnlyRootFilesystem: true allowPrivilegeEscalation: false imagePullPolicy: IfNotPresent diff --git a/pkg/controllers/qat/controller.go b/pkg/controllers/qat/controller.go index a062927c..75900052 100644 --- a/pkg/controllers/qat/controller.go +++ b/pkg/controllers/qat/controller.go @@ -222,6 +222,9 @@ func setInitContainer(dsSpec *v1.PodSpec, dpSpec devicepluginv1.QatDevicePluginS Value: strings.Join(enablingPfPciIDs, " "), }}, SecurityContext: &v1.SecurityContext{ + SELinuxOptions: &v1.SELinuxOptions{ + Type: "container_device_plugin_init_t", + }, Privileged: &yes, ReadOnlyRootFilesystem: &yes, }, diff --git a/pkg/controllers/qat/controller_test.go b/pkg/controllers/qat/controller_test.go index 9876beb1..0cea46ea 100644 --- a/pkg/controllers/qat/controller_test.go +++ b/pkg/controllers/qat/controller_test.go @@ -72,6 +72,9 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet Image: devicePlugin.Spec.Image, ImagePullPolicy: "IfNotPresent", SecurityContext: &v1.SecurityContext{ + SELinuxOptions: &v1.SELinuxOptions{ + Type: "container_device_plugin_t", + }, ReadOnlyRootFilesystem: &yes, AllowPrivilegeEscalation: &no, },