Skip to content

Commit f2e279c

Browse files
visheshtanksalevisheshtanksale
committed
Adding OCP security context
Signed-off-by: Vishesh Tanksale <vtanksale@nvidia.com>
1 parent f162148 commit f2e279c

File tree

1 file changed

+26
-5
lines changed

1 file changed

+26
-5
lines changed

api/apps/v1alpha1/nimservice_types.go

Lines changed: 26 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -499,6 +499,8 @@ func (n *NIMService) GetStandardAnnotations() map[string]string {
499499
}
500500
if n.GetProxyCertConfigMap() != "" {
501501
standardAnnotations["openshift.io/required-scc"] = "anyuid"
502+
} else if n.GetHostPath() != "" {
503+
standardAnnotations["openshift.io/required-scc"] = "hostmount-anyuid"
502504
}
503505
return standardAnnotations
504506
}
@@ -709,7 +711,8 @@ func (n *NIMService) GetVolumes(modelPVC *PersistentVolumeClaim) []corev1.Volume
709711
},
710712
},
711713
}
712-
if modelPVC != nil {
714+
switch {
715+
case modelPVC != nil:
713716
volumes = append(volumes, corev1.Volume{
714717
Name: "model-store",
715718
VolumeSource: corev1.VolumeSource{
@@ -719,7 +722,7 @@ func (n *NIMService) GetVolumes(modelPVC *PersistentVolumeClaim) []corev1.Volume
719722
},
720723
},
721724
})
722-
} else if n.Spec.Storage.EmptyDir != nil {
725+
case n.Spec.Storage.EmptyDir != nil:
723726
volumes = append(volumes, corev1.Volume{
724727
Name: "model-store",
725728
VolumeSource: corev1.VolumeSource{
@@ -728,7 +731,7 @@ func (n *NIMService) GetVolumes(modelPVC *PersistentVolumeClaim) []corev1.Volume
728731
},
729732
},
730733
})
731-
} else if n.Spec.Storage.HostPath != nil && *n.Spec.Storage.HostPath != "" {
734+
case n.GetHostPath() != "":
732735
hostPathType := corev1.HostPathDirectoryOrCreate
733736
volumes = append(volumes, corev1.Volume{
734737
Name: "model-store",
@@ -1428,7 +1431,8 @@ func (n *NIMService) GetRoleParams() *rendertypes.RoleParams {
14281431
params.Namespace = n.GetNamespace()
14291432

14301433
// Set rules to use SCC
1431-
if n.GetProxySpec() != nil {
1434+
switch {
1435+
case n.GetProxySpec() != nil:
14321436
params.Rules = []rbacv1.PolicyRule{
14331437
{
14341438
APIGroups: []string{"security.openshift.io"},
@@ -1437,7 +1441,16 @@ func (n *NIMService) GetRoleParams() *rendertypes.RoleParams {
14371441
Verbs: []string{"use"},
14381442
},
14391443
}
1440-
} else {
1444+
case n.GetHostPath() != "":
1445+
params.Rules = []rbacv1.PolicyRule{
1446+
{
1447+
APIGroups: []string{"security.openshift.io"},
1448+
Resources: []string{"securitycontextconstraints"},
1449+
ResourceNames: []string{"hostmount-anyuid"},
1450+
Verbs: []string{"use"},
1451+
},
1452+
}
1453+
default:
14411454
params.Rules = []rbacv1.PolicyRule{
14421455
{
14431456
APIGroups: []string{"security.openshift.io"},
@@ -1602,6 +1615,14 @@ func (n *NIMService) GetProxyCertConfigMap() string {
16021615
return ""
16031616
}
16041617

1618+
// GetHostPath returns the host path for the NIMService deployment.
1619+
func (n *NIMService) GetHostPath() string {
1620+
if n.Spec.Storage.HostPath != nil && *n.Spec.Storage.HostPath != "" {
1621+
return *n.Spec.Storage.HostPath
1622+
}
1623+
return ""
1624+
}
1625+
16051626
// GetInferenceServiceParams returns params to render InferenceService from templates.
16061627
func (n *NIMService) GetInferenceServiceParams(
16071628
deploymentMode kserveconstants.DeploymentModeType) *rendertypes.InferenceServiceParams {

0 commit comments

Comments
 (0)