Skip to content

Always use dedicated service account in device-plugin helm chart#1372

Merged
cdesiniotis merged 1 commit into
NVIDIA:mainfrom
cdesiniotis:use-dedicated-service-account
May 22, 2026
Merged

Always use dedicated service account in device-plugin helm chart#1372
cdesiniotis merged 1 commit into
NVIDIA:mainfrom
cdesiniotis:use-dedicated-service-account

Conversation

@cdesiniotis
Copy link
Copy Markdown
Contributor

@cdesiniotis cdesiniotis commented Aug 18, 2025
edited
Loading

Before this change, installing the helm chart with default values would lead to the default service account being used. Using the default service account is generally discouraged as it is a shared service account that gets used by all pods in the same namespace that don't specify one. If the default service account was compromised in some way, e.g. given more privileges, then our device-plugin would also gain those privileges and we would not be adhering to the principle of least privilege.

This PR updates our helm chart so that a dedicated service account is always created and used.

elezar
elezar reviewed Sep 10, 2025
View reviewed changes
Comment thread deployments/helm/nvidia-device-plugin/templates/daemonset-mps-control-daemon.yml
{{- if not .Values.mps.enableHostPID }}
shareProcessNamespace: true
{{- end }}
{{- end }}
Copy link
Copy Markdown
Member

@elezar elezar Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: Was this a bug? Were we only adding shareProcessNamespace if we ALSO had a config map?

Copy link
Copy Markdown
Contributor

@rajatchopra rajatchopra May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think shareProcessName was a slip anyways. Looks good now.

elezar
elezar approved these changes Sep 10, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@elezar elezar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a question regarding the HOST PID setting for MPS. (Fixing that may justify a separate commit for the changelogs).

@elezar
Copy link
Copy Markdown
Member

elezar commented Nov 20, 2025

/cherry-pick release-0.18

@elezar elezar force-pushed the use-dedicated-service-account branch from e4e9a5d to d30d159 Compare November 20, 2025 14:44
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented Nov 20, 2025

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@ArangoGutierrez
Copy link
Copy Markdown
Collaborator

ArangoGutierrez commented Nov 20, 2025

/ok to test d30d159

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 19, 2026

This PR is stale because it has been open 90 days with no activity. This PR will be closed in 30 days unless new comments are made or the stale label is removed. To skip these checks, apply the "lifecycle/frozen" label.

@github-actions github-actions Bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 19, 2026
rajatchopra
rajatchopra approved these changes May 22, 2026
View reviewed changes
Comment thread deployments/helm/nvidia-device-plugin/templates/daemonset-mps-control-daemon.yml
{{- if not .Values.mps.enableHostPID }}
shareProcessNamespace: true
{{- end }}
{{- end }}
Copy link
Copy Markdown
Contributor

@rajatchopra rajatchopra May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think shareProcessName was a slip anyways. Looks good now.

@rajatchopra
Copy link
Copy Markdown
Contributor

rajatchopra commented May 22, 2026

@cdesiniotis This is ready to go. Rebase and merge?

@cdesiniotis
Always use dedicated service account in device-plugin helm chart
81a0e5e 
Signed-off-by: Christopher Desiniotis <cdesiniotis@nvidia.com>
@cdesiniotis cdesiniotis force-pushed the use-dedicated-service-account branch from d30d159 to 81a0e5e Compare May 22, 2026 19:34
@cdesiniotis
Copy link
Copy Markdown
Contributor Author

cdesiniotis commented May 22, 2026

/ok to test 81a0e5e

@cdesiniotis
Copy link
Copy Markdown
Contributor Author

cdesiniotis commented May 22, 2026

/cherry-pick release-0.19

@cdesiniotis cdesiniotis self-assigned this May 22, 2026
@cdesiniotis cdesiniotis merged commit da6a888 into NVIDIA:main May 22, 2026
12 checks passed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 22, 2026

🤖 Backport PR created for release-0.18: #1803 ⚠️ (has conflicts)

This was referenced May 22, 2026
Closed
Merged
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 22, 2026

🤖 Backport PR created for release-0.19: #1804

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elezar elezar elezar approved these changes

@rajatchopra rajatchopra rajatchopra approved these changes

@tariq1890 tariq1890 tariq1890 approved these changes

@klueska klueska Awaiting requested review from klueska

@ArangoGutierrez ArangoGutierrez Awaiting requested review from ArangoGutierrez

@rajathagasthya rajathagasthya Awaiting requested review from rajathagasthya

Assignees

@cdesiniotis cdesiniotis

Labels

cherry-pick/release-0.18 cherry-pick/release-0.19 lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. must-backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@cdesiniotis @elezar @ArangoGutierrez @rajatchopra @tariq1890