Add one device plugin specific label to differentiate our operator
from all the possible operators within same namespace.
Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
Sadly GH's trivy-action doesn't support the trivyignore.yaml file.
The whole detection class needs to be ignored.
Include the .yaml file for future use.
Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
Our SGX README guides users to first deploy NFD and create NodeFeatureRules
when sgx_plugin/overlays/epc-nfd is used. However, it turns out
the "SGX enabled" label is not being used by the plugin DaemonSet.
Use "intel.feature.node.kubernetes.io/sgx": "true" as the nodeSelector
value when the kustomization overlay with NFD is used.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
The VPU plugin can only be used with devices that are
no longer supported by upper layers, such as OpenVINO.
The deprecation plan for the plugin was announced earlier
this year and post v0.28 marks the date when the plugin is removed
from the repo.
Releases before v0.29 have the plugin available should it
be needed.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
With the NFD recent versions (v0.13+), it's no longer necessary to
start NFD with custom nfd-master args/rbac settings to get numeric
labels registered as extended resources.
The same can be specified via NodeFeatureRules which also works for
"local" source with feature files.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
NFD v0.14+ doesn't support binary NFD hooks by default, so there is
a need to move the label creation away from the GPU nfdhook.
Move extended resource label creation to plugin, and drop labels that were
already marked deprecated (platform_gen, media_version etc.).
Drop init-container from deployment files and operator. It is still possible
to use an initcontainer, but the default deployments do not support it.
Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
hostNetwork usage for SGX demo pods is not absolutely necessary so it's
better to clean it up and make IAS "security" scanners happier. It was
originally used to be able to use "localhost" PCCS but this change now
adds an example how proper PCCS url can be configured using jq.
Additionally, SGX DCAP Quote Verification is added.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
FPGA and SGX webhooks mutate container resources which
are immutable. Therefore, stop processing pod updates
and act on creation only.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Proper SELinux labels are required for the plugins to run in SELinux
enabled clusters like openshift. These labels are custom made for
plugins and are part of container-selinux package.
Signed-off-by: Manish Regmi <manish.regmi@intel.com>
