NVIDIA / gpu-operator / 21971785708
26%
main: 28%

LAST BUILD BRANCH: pull-request/2160
DEFAULT BRANCH: main
Ran
Jobs 1
Files 53
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 26.122%. Remained the same
21971785708

push

github

cdesiniotis 
fix: prevent dcgm-exporter pod from being bound to other SCC objects

On OpenShift, we deploy a custom Security Context Constraint (SCC) object
for dcgm-exporter. The intent is for this SCC object to define what permissions
the dcgm-exporter pod is allowed to run with.

There is a bug where the dcgm-exporter pod gets bound to another SCC object,
not the one named 'nvidia-dcgm-exporter' which the GPU Operator creates. For
example, on an OpenShift environment I see:

```
$ oc get $(oc get pod -oname -l app=nvidia-dcgm-exporter) -o yaml | grep openshift.io/scc
    openshift.io/scc: lvms-vgmanager
```

The root cause lies in the dcgm-exporter Role -- the dcgm-exporter service account
can use any SCC because of the missing 'resourceNames' restriction. As a result,
OpenShift's SCC admission controller can select another SCC that is more restrictive than
the 'nvidia-dcgm-exporter' SCC but still satisfies the pod's security requirements.

This commit updates the dcgm-exporter Role object so that it can only use the
'privileged' SCC (and not all SCCs). This change was made to align the dcgm-exporter
Role object with other operands, like dcgm / gpu-feature-discovery / device-plugin, etc.
who also have permissions to use the 'privileged' SCC.

In a follow-up, we should explore the possibility of removing this permission from
our Role objects entirely. The SCCs that the gpu-operator creates specify the service
accounts that can use them, so there should be no need to specify permissions to use
specific SCCs in the operand's Role objects.

Signed-off-by: Christopher Desiniotis <cdesiniotis@nvidia.com>

3109 of 11902 relevant lines covered (26.12%)

0.3 hits per line

Jobs
ID Job ID Ran Files Coverage
1 21971785708.1 53
26.12
 GitHub Action Run
Source Files on build 21971785708