Merge pull request #978 from NVIDIA/no-privileged-toolkit-validation

tariq1890 · web-flow · commit 751bf09fd18f · 2024-09-07T03:21:52.000+08:00
disable privileged mode for toolkit-validation init containers
diff --git a/assets/gpu-feature-discovery/0500_daemonset.yaml b/assets/gpu-feature-discovery/0500_daemonset.yaml
@@ -30,12 +30,10 @@ spec:
           image: "FILLED BY THE OPERATOR"
           command: ['sh', '-c']
           args: ["until [ -f /run/nvidia/validations/toolkit-ready ]; do echo waiting for nvidia container stack to be setup; sleep 5; done"]
-          securityContext:
-            privileged: true
           volumeMounts:
             - name: run-nvidia
               mountPath: /run/nvidia
-              mountPropagation: Bidirectional
+              mountPropagation: HostToContainer
         - name: config-manager-init
           image: "FILLED BY THE OPERATOR"
           command: ["config-manager"]
diff --git a/assets/state-dcgm-exporter/0900_daemonset.yaml b/assets/state-dcgm-exporter/0900_daemonset.yaml
@@ -29,8 +29,6 @@ spec:
         image: "FILLED BY THE OPERATOR"
         command: ['sh', '-c']
         args: ["until [ -f /run/nvidia/validations/toolkit-ready ]; do echo waiting for nvidia container stack to be setup; sleep 5; done"]
-        securityContext:
-          privileged: true
         volumeMounts:
           - name: run-nvidia
             mountPath: "/run/nvidia"
diff --git a/assets/state-dcgm/0400_dcgm.yml b/assets/state-dcgm/0400_dcgm.yml
@@ -29,8 +29,6 @@ spec:
         image: "FILLED BY THE OPERATOR"
         command: ['sh', '-c']
         args: ["until [ -f /run/nvidia/validations/toolkit-ready ]; do echo waiting for nvidia container stack to be setup; sleep 5; done"]
-        securityContext:
-          privileged: true
         volumeMounts:
           - name: run-nvidia
             mountPath: /run/nvidia
diff --git a/assets/state-device-plugin/0500_daemonset.yaml b/assets/state-device-plugin/0500_daemonset.yaml
@@ -29,8 +29,6 @@ spec:
         name: toolkit-validation
         command: ['sh', '-c']
         args: ["until [ -f /run/nvidia/validations/toolkit-ready ]; do echo waiting for nvidia container stack to be setup; sleep 5; done"]
-        securityContext:
-          privileged: true
         volumeMounts:
           - name: run-nvidia-validations
             mountPath: /run/nvidia/validations
diff --git a/assets/state-mig-manager/0600_daemonset.yaml b/assets/state-mig-manager/0600_daemonset.yaml
@@ -29,8 +29,6 @@ spec:
           image: "FILLED BY THE OPERATOR"
           command: ['sh', '-c']
           args: ["until [ -f /run/nvidia/validations/toolkit-ready ]; do echo waiting for nvidia container toolkit to be setup; sleep 5; done"]
-          securityContext:
-            privileged: true
           volumeMounts:
             - name: run-nvidia-validations
               mountPath: /run/nvidia/validations
diff --git a/assets/state-mps-control-daemon/0400_daemonset.yaml b/assets/state-mps-control-daemon/0400_daemonset.yaml
@@ -30,8 +30,6 @@ spec:
           name: toolkit-validation
           command: ['sh', '-c']
           args: ["until [ -f /run/nvidia/validations/toolkit-ready ]; do echo waiting for nvidia container stack to be setup; sleep 5; done"]
-          securityContext:
-            privileged: true
           volumeMounts:
             - name: run-nvidia
               mountPath: /run/nvidia
diff --git a/assets/state-sandbox-device-plugin/0500_daemonset.yaml b/assets/state-sandbox-device-plugin/0500_daemonset.yaml
@@ -35,8 +35,6 @@ spec:
           env:
             - name: NVIDIA_VISIBLE_DEVICES
               value: void
-          securityContext:
-            privileged: true
           volumeMounts:
             - name: run-nvidia-validations
               mountPath: /run/nvidia/validations
