Allow k8s-device-plugin daemonset run in nonpriveleged mode

curlup · web-flow · commit aa5f9475bc1b · 2025-04-29T16:45:34.000-04:00
diff --git a/api/nvidia/v1/clusterpolicy_types.go b/api/nvidia/v1/clusterpolicy_types.go
@@ -713,6 +713,7 @@ type DevicePluginSpec struct {
 	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.displayName="Enable NVIDIA Device Plugin deployment through GPU Operator"
 	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.x-descriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
 	Enabled *bool `json:"enabled,omitempty"`
+	
 
 	// NVIDIA Device Plugin image repository
 	// +kubebuilder:validation:Optional
@@ -767,6 +768,12 @@ type DevicePluginSpec struct {
 	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true
 	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.displayName="MPS related configuration for the NVIDIA Device Plugin"
 	MPS *MPSConfig `json:"mps,omitempty"`
+
+	// Unpriveleged indicates NVIDIA Device Plugin should run with securityContext: priveleged: false
+	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true
+	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.displayName="Run NVIDIA Device Plugin daemon set with privileged false, which alllows limiting NVIDIA_VISIBLE_DEVICES"
+	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.x-descriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	Unprivileged *bool `json:"enabled,omitempty"`
 }
 
 // DevicePluginConfig defines ConfigMap name for NVIDIA Device Plugin config
diff --git a/controllers/object_controls.go b/controllers/object_controls.go
@@ -1359,6 +1359,11 @@ func TransformDevicePlugin(obj *appsv1.DaemonSet, config *gpuv1.ClusterPolicySpe
 	}
 	obj.Spec.Template.Spec.Containers[0].Image = image
 
+	// set privileged false if overriden
+	if config.Unprivileged {
+		obj.Spec.Template.Spec.Containers[0].SecurityContext.Privileged = false
+	}
+
 	// update image pull policy
 	obj.Spec.Template.Spec.Containers[0].ImagePullPolicy = gpuv1.ImagePullPolicy(config.DevicePlugin.ImagePullPolicy)
 
