From 74006cda80b9cf9bf8a28c36c12b863d22947292 Mon Sep 17 00:00:00 2001 From: Tuomas Katila Date: Thu, 2 Jan 2025 14:25:21 +0200 Subject: [PATCH] depl: drop capabilities from all plugins Signed-off-by: Tuomas Katila --- deployments/dlb_plugin/base/intel-dlb-plugin.yaml | 7 ++++++- deployments/dsa_plugin/base/intel-dsa-plugin.yaml | 5 +++++ .../fpga_plugin/base/intel-fpga-plugin-daemonset.yaml | 7 +++++++ deployments/gpu_plugin/base/intel-gpu-plugin.yaml | 5 +++++ deployments/gpu_plugin/overlays/levelzero/levelzero.yaml | 7 +++++++ deployments/iaa_plugin/base/intel-iaa-plugin.yaml | 5 +++++ deployments/qat_plugin/base/intel-qat-plugin.yaml | 5 +++++ deployments/sgx_plugin/base/intel-sgx-plugin.yaml | 5 +++++ pkg/controllers/dlb/controller_test.go | 2 ++ pkg/controllers/dsa/controller_test.go | 2 ++ pkg/controllers/fpga/controller_test.go | 5 +++++ pkg/controllers/gpu/controller_test.go | 2 ++ pkg/controllers/iaa/controller_test.go | 2 ++ pkg/controllers/qat/controller_test.go | 2 ++ pkg/controllers/sgx/controller_test.go | 2 ++ 15 files changed, 62 insertions(+), 1 deletion(-) diff --git a/deployments/dlb_plugin/base/intel-dlb-plugin.yaml b/deployments/dlb_plugin/base/intel-dlb-plugin.yaml index 14b903df8..ea8cceb29 100644 --- a/deployments/dlb_plugin/base/intel-dlb-plugin.yaml +++ b/deployments/dlb_plugin/base/intel-dlb-plugin.yaml @@ -31,7 +31,12 @@ spec: securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false - terminationMessagePath: /tmp/termination-log + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /tmp/termination-log resources: requests: memory: "15Mi" diff --git a/deployments/dsa_plugin/base/intel-dsa-plugin.yaml b/deployments/dsa_plugin/base/intel-dsa-plugin.yaml index 4a2a7daea..41aa98ad5 100644 --- a/deployments/dsa_plugin/base/intel-dsa-plugin.yaml +++ b/deployments/dsa_plugin/base/intel-dsa-plugin.yaml @@ -33,6 +33,11 @@ spec: type: "container_device_plugin_t" readOnlyRootFilesystem: true allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault resources: requests: memory: "25Mi" diff --git a/deployments/fpga_plugin/base/intel-fpga-plugin-daemonset.yaml b/deployments/fpga_plugin/base/intel-fpga-plugin-daemonset.yaml index 2e9462453..1f7e28051 100644 --- a/deployments/fpga_plugin/base/intel-fpga-plugin-daemonset.yaml +++ b/deployments/fpga_plugin/base/intel-fpga-plugin-daemonset.yaml @@ -42,8 +42,15 @@ spec: - -mode=af terminationMessagePath: /tmp/termination-log securityContext: + seLinuxOptions: + type: "container_device_plugin_t" readOnlyRootFilesystem: true allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault resources: requests: memory: "30Mi" diff --git a/deployments/gpu_plugin/base/intel-gpu-plugin.yaml b/deployments/gpu_plugin/base/intel-gpu-plugin.yaml index 5ea86975d..a6aabe98b 100644 --- a/deployments/gpu_plugin/base/intel-gpu-plugin.yaml +++ b/deployments/gpu_plugin/base/intel-gpu-plugin.yaml @@ -36,6 +36,11 @@ spec: type: "container_device_plugin_t" readOnlyRootFilesystem: true allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault resources: requests: memory: "45Mi" diff --git a/deployments/gpu_plugin/overlays/levelzero/levelzero.yaml b/deployments/gpu_plugin/overlays/levelzero/levelzero.yaml index baa30f18d..a3d3abcea 100644 --- a/deployments/gpu_plugin/overlays/levelzero/levelzero.yaml +++ b/deployments/gpu_plugin/overlays/levelzero/levelzero.yaml @@ -6,6 +6,13 @@ imagePullPolicy: IfNotPresent args: - "-v=2" + resources: + requests: + cpu: 25m + memory: 50Mi + limits: + cpu: 50m + memory: 100Mi securityContext: readOnlyRootFilesystem: true privileged: true diff --git a/deployments/iaa_plugin/base/intel-iaa-plugin.yaml b/deployments/iaa_plugin/base/intel-iaa-plugin.yaml index 037179a94..dcf1dd937 100644 --- a/deployments/iaa_plugin/base/intel-iaa-plugin.yaml +++ b/deployments/iaa_plugin/base/intel-iaa-plugin.yaml @@ -33,6 +33,11 @@ spec: type: "container_device_plugin_t" readOnlyRootFilesystem: true allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault resources: requests: memory: "25Mi" diff --git a/deployments/qat_plugin/base/intel-qat-plugin.yaml b/deployments/qat_plugin/base/intel-qat-plugin.yaml index fd0075107..5598e42bc 100644 --- a/deployments/qat_plugin/base/intel-qat-plugin.yaml +++ b/deployments/qat_plugin/base/intel-qat-plugin.yaml @@ -36,6 +36,11 @@ spec: type: "container_device_plugin_t" readOnlyRootFilesystem: true allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault imagePullPolicy: IfNotPresent resources: requests: diff --git a/deployments/sgx_plugin/base/intel-sgx-plugin.yaml b/deployments/sgx_plugin/base/intel-sgx-plugin.yaml index 3ce4073e1..356650554 100644 --- a/deployments/sgx_plugin/base/intel-sgx-plugin.yaml +++ b/deployments/sgx_plugin/base/intel-sgx-plugin.yaml @@ -27,6 +27,11 @@ spec: type: "container_device_plugin_t" readOnlyRootFilesystem: true allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault imagePullPolicy: IfNotPresent resources: requests: diff --git a/pkg/controllers/dlb/controller_test.go b/pkg/controllers/dlb/controller_test.go index 1d318ed15..34770861d 100644 --- a/pkg/controllers/dlb/controller_test.go +++ b/pkg/controllers/dlb/controller_test.go @@ -92,6 +92,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet SecurityContext: &v1.SecurityContext{ ReadOnlyRootFilesystem: &yes, AllowPrivilegeEscalation: &no, + Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}}, + SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, }, Resources: v1.ResourceRequirements{ Limits: v1.ResourceList{ diff --git a/pkg/controllers/dsa/controller_test.go b/pkg/controllers/dsa/controller_test.go index 3d8458d3b..4181e42b1 100644 --- a/pkg/controllers/dsa/controller_test.go +++ b/pkg/controllers/dsa/controller_test.go @@ -96,6 +96,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet }, ReadOnlyRootFilesystem: &yes, AllowPrivilegeEscalation: &no, + Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}}, + SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, }, Resources: v1.ResourceRequirements{ Limits: v1.ResourceList{ diff --git a/pkg/controllers/fpga/controller_test.go b/pkg/controllers/fpga/controller_test.go index a16ef0a97..b0ca45b81 100644 --- a/pkg/controllers/fpga/controller_test.go +++ b/pkg/controllers/fpga/controller_test.go @@ -91,8 +91,13 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet ImagePullPolicy: "IfNotPresent", Name: appLabel, SecurityContext: &v1.SecurityContext{ + SELinuxOptions: &v1.SELinuxOptions{ + Type: "container_device_plugin_t", + }, ReadOnlyRootFilesystem: &yes, AllowPrivilegeEscalation: &no, + Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}}, + SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, }, TerminationMessagePath: "/tmp/termination-log", Resources: v1.ResourceRequirements{ diff --git a/pkg/controllers/gpu/controller_test.go b/pkg/controllers/gpu/controller_test.go index b06f707a6..994f0d88f 100644 --- a/pkg/controllers/gpu/controller_test.go +++ b/pkg/controllers/gpu/controller_test.go @@ -106,6 +106,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet }, ReadOnlyRootFilesystem: &yes, AllowPrivilegeEscalation: &no, + Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}}, + SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, }, Resources: v1.ResourceRequirements{ Limits: v1.ResourceList{ diff --git a/pkg/controllers/iaa/controller_test.go b/pkg/controllers/iaa/controller_test.go index 5d451d9ec..e74ae955f 100644 --- a/pkg/controllers/iaa/controller_test.go +++ b/pkg/controllers/iaa/controller_test.go @@ -96,6 +96,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet }, ReadOnlyRootFilesystem: &yes, AllowPrivilegeEscalation: &no, + Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}}, + SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, }, Resources: v1.ResourceRequirements{ Limits: v1.ResourceList{ diff --git a/pkg/controllers/qat/controller_test.go b/pkg/controllers/qat/controller_test.go index d94323402..a4a0b55d3 100644 --- a/pkg/controllers/qat/controller_test.go +++ b/pkg/controllers/qat/controller_test.go @@ -100,6 +100,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet }, ReadOnlyRootFilesystem: &yes, AllowPrivilegeEscalation: &no, + Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}}, + SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, }, Resources: v1.ResourceRequirements{ Limits: v1.ResourceList{ diff --git a/pkg/controllers/sgx/controller_test.go b/pkg/controllers/sgx/controller_test.go index 97fcfbfc7..47f653ed1 100644 --- a/pkg/controllers/sgx/controller_test.go +++ b/pkg/controllers/sgx/controller_test.go @@ -88,6 +88,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet }, ReadOnlyRootFilesystem: &yes, AllowPrivilegeEscalation: &no, + Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}}, + SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, }, Resources: v1.ResourceRequirements{ Limits: v1.ResourceList{