2187603 – [DPDK Checkup] Add ServiceAccount and SCC for the traffic generator pod

Bug 2187603 - [DPDK Checkup] Add ServiceAccount and SCC for the traffic generator pod

Summary: [DPDK Checkup] Add ServiceAccount and SCC for the traffic generator pod

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	4.13.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Avital Pinnick
QA Contact:	Yossi Segev
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-18 06:36 UTC by Orel Misan
Modified:	2023-04-20 10:13 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-04-20 10:13:36 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CNV-28196	0	None	None	None	2023-04-18 06:36:47 UTC

Description Orel Misan 2023-04-18 06:36:18 UTC

Document URL: 

modules/virt-checking-cluster-dpdk-readiness.adoc

Section Number and Name: 
.Example roles manifest

Describe the issue: 

An additional ServiceAccount is needed:
```
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dpdk-checkup-traffic-gen-sa
```

Also the following SecurityContextConstraints object is needed as well:
```
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: dpdk-checkup-traffic-gen
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- IPC_LOCK
- NET_ADMIN
- NET_RAW
- SYS_RESOURCE
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
- runtime/default
- unconfined
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:dpdk-checkup-ns:dpdk-checkup-traffic-gen-sa
volumes:
- hostPath
```

Without these additions, the checkup cannot start.

Suggestions for improvement: 

Additional information: 
Link to change on upstream documentation https://github.com/kiagnose/kubevirt-dpdk-checkup/pull/102/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5

Comment 2 Avital Pinnick 2023-04-20 10:13:36 UTC

Changes approved and merged.

Note You need to log in before you can comment on or make changes to this bug.