Add anyuid SCC to compute domain service account on OpenShift

empovit · empovit · commit 0ed747c1c85b · 2025-09-15T23:32:38.000+03:00
Red Hat OpenShift blocks writing into `/etc`, causing the
following error in compute-domain-daemon pods:

```
IMEXDaemonUpdateLoop failed, initiate shutdown:
writeNodesConfig failed: failed to create nodes config file:
open /etc/nvidia-imex/nodes_config.cfg: permission denied
```

Binding `anyuid` SCC to the service account when run on OpenShift
solves this problem.

Signed-off-by: Vitaliy Emporopulo &lt;vemporop@redhat.com&gt;
diff --git a/deployments/helm/nvidia-dra-driver-gpu/templates/compute-domain-daemon-service-account.yaml b/deployments/helm/nvidia-dra-driver-gpu/templates/compute-domain-daemon-service-account.yaml
@@ -26,4 +26,19 @@ subjects:
 roleRef:
   kind: ClusterRole
   name: compute-domain-daemon-role
-  apiGroup: rbac.authorization.k8s.io 
+  apiGroup: rbac.authorization.k8s.io
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: compute-domain-daemon-anyuid-role-binding
+subjects:
+- kind: ServiceAccount
+  name: compute-domain-daemon-service-account
+  namespace: {{ include "nvidia-dra-driver-gpu.namespace" . }}
+roleRef:
+  kind: ClusterRole
+  name: system:openshift:scc:anyuid
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
