NVIDIA / gpu-operator / 25459157702

29%

main: 29%

Build Type

push

github

Committed by rajathagasthya

Commit Message

Remove shell dependency from validator pods

NVIDIA's distroless-cc `-dev` tag (the gpu-operator image base) will no
longer be approved as a STIG parent image. The non-`-dev` variant ships
no shell, so the validator daemonsets and workload validation pods —
which wrapped binaries in `sh -c` and used shell-based preStop hooks —
would break on the new base. Re-adding a shell to the image would only
swap one CVE source for another.

Replace shell wrappers with direct binary invocation. The
operator-validator and sandbox-validator init containers invoke
`nvidia-validator` directly. Their pause containers use a new top-level
`--sleep` flag that prints the validator-success message and blocks on
SIGTERM. Workload pod main containers run `nvidia-validator --version`
as a no-op exit-0; the per-workload success message now prints from
`(c *CUDA).runWorkload` and `(p *Plugin).runWorkload` after
`waitForPod` succeeds — surfacing in the operator-validator init
container logs where success is actually established.

For preStop cleanup, add a small static helper `rmglob` that takes
glob patterns and removes matching paths. Modeled on k8s-cc-manager's
vendored static `/bin/rm`, shipped at `/usr/bin/rmglob`. Both
validator daemonsets keep their `lifecycle.preStop` blocks; they now
call this binary instead of `sh -c rm`.

Flip the Dockerfile base to `nvcr.io/nvidia/distroless/cc:v4.0.0`.

Signed-off-by: Rajath Agasthya <ragasthya@nvidia.com>

Coverage Stats

17 of 74 new or added lines in 2 files covered. (22.97%)

3 existing lines in 1 file now uncovered.

3552 of 12523 relevant lines covered (28.36%)

0.32 hits per line