Allows autopilot containers to run privileged for nvidia-smi

Because of our use of ACCEPT_NVIDIA_VISIBLE_DEVICES_ENVVAR_WHEN_UNPRIVILEGED=false, we set privileged=true for the autopilot service account so it can load the NVIDIA tools like nvidia-smi to check on the GPU health, without actually claiming the GPU.
OCP-on-NERC · Feb 3, 2025 · c54c640 · c54c640
1 parent ff74fdc
commit c54c640
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/autopilot/base/clusterrolebindings/autopilot-privileged.yaml b/autopilot/base/clusterrolebindings/autopilot-privileged.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: autopilot-privileged
+  namespace: autopilot
+subjects:
+- kind: ServiceAccount
+  name: autopilot
+  namespace: autopilot
+roleRef:
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+  apiGroup: rbac.authorization.k8s.io
diff --git a/autopilot/base/clusterrolebindings/kustomization.yaml b/autopilot/base/clusterrolebindings/kustomization.yaml
@@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - autopilot.yaml
+- autopilot-privileged.yaml
 - prometheus-k8s-autopilot.yaml
diff --git a/autopilot/base/daemonsets/autopilot.yaml b/autopilot/base/daemonsets/autopilot.yaml
@@ -36,6 +36,8 @@ spec:
           image: quay.io/autopilot/autopilot:v2.1.0
           imagePullPolicy: Always
           name: device-plugin-validation
+          securityContext:
+            privileged: true
       containers:
         - image: quay.io/autopilot/autopilot:v2.1.0
           command:
@@ -88,3 +90,5 @@ spec:
               nvidia.com/gpu: '0'
             requests:
               nvidia.com/gpu: '0'
+          securityContext:
+            privileged: true