github/intel-device-plugins-for-kubernetes
7
0
Fork 0
mirror of https://github.com/intel/intel-device-plugins-for-kubernetes.git synced 2025-06-03 03:59:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

crypto-perf: fix readonly rootfs deployment

Browse Source 
We had securityContext specified twice and the latter was overwriting
readOnlyRootFilesystem=true.

With this commit, the container is properly mounted readonly. However,
we need a tmpfs for DPDK runtime data so an emptyDir volume is added
(NB: see kubernetes/issues/48912 for discussion on emptyDir mount options).

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
This commit is contained in:
Mikko Ylinen 2020-02-04 13:39:07 +02:00
parent 28a89a2820
commit df7492d763
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
deployments/qat_dpdk_app/base/crypto-perf-dpdk-pod-requesting-qat.yaml
View File

@ -9,11 +9,11 @@ spec:
imagePullPolicy: IfNotPresent
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 300000; done;" ]
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /dev/hugepages
name: hugepage
- mountPath: /var/run/dpdk
name: dpdk-runtime
resources:
requests:
cpu: "3"
@ -26,11 +26,15 @@ spec:
qat.intel.com/generic: '4'
hugepages-2Mi: "128Mi"
securityContext:
readOnlyRootFilesystem: true
capabilities:
add:
["IPC_LOCK", "SYS_ADMIN"]
restartPolicy: Never
volumes:
- name: dpdk-runtime
emptyDir:
medium: Memory
- name: hugepage
emptyDir:
medium: HugePages