feat(helm): make device plugin security context configurable via values#1887
Conversation
There was a problem hiding this comment.
Code Review
This pull request parameterizes the hostPID, hostNetwork, and securityContext settings for the NVIDIA device plugin DaemonSet, moving previously hardcoded values into values.yaml. The review feedback recommends wrapping the securityContext blocks in Helm with statements to better handle cases where values might be null or omitted. There is also a suggestion to adjust the placement of the new securityContext field in values.yaml to preserve the association between the resources field and its descriptive comments.
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Expose hardcoded hostPID, hostNetwork, and all container securityContext
fields as overridable values in values.yaml. Current settings are
preserved as defaults so this is a non-breaking change.
Wrap securityContext blocks in {{- with }} so they are safely omitted
when overridden to null. Move monitor.securityContext before resources
in values.yaml to keep resource comments associated with the right field.
Signed-off-by: ilia-medvedev <ilia.medvedev@gong.io>
b8910e3 to
994b102
Compare
…ToolkitReady Co-locates the init container security settings with the other gpuOperatorToolkitReady options for clarity, since that block is the only place the init container is used. Signed-off-by: ilia-medvedev <ilia.medvedev@gong.io>
📝 WalkthroughWalkthrough
ChangesConfigurable Device Plugin Security
Estimated code review effort: 2 (Simple) | ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@charts/hami/templates/device-plugin/daemonsetnvidia.yaml`:
- Line 43: The hostPID templating in the device plugin DaemonSet is overriding
an explicit false value because default true treats false as empty. Update the
hostPID rendering logic in the daemonset template so devicePlugin.hostPID=false
is preserved as false instead of falling back to true, using the existing
hostPID value handling in the chart template.
In `@charts/hami/values.yaml`:
- Around line 272-274: The init container security context is currently defined
under gpuOperatorToolkitReady.securityContext, but the contract expects it at
devicePlugin.initContainerSecurityContext, so the configured value path is being
ignored. Move the default in values.yaml to the documented
devicePlugin.initContainerSecurityContext key and update the DaemonSet/template
lookup to read from that same path, using the relevant securityContext fields in
the init container rendering logic.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 088bf6e1-58bb-4841-8601-0d548997648c
📒 Files selected for processing (2)
charts/hami/templates/device-plugin/daemonsetnvidia.yamlcharts/hami/values.yaml
19f8a7d to
c370332
Compare
Signed-off-by: ilia-medvedev <ilia.medvedev@gong.io>
|
The PR says Closes #1888 but 2 things from that issue are not working:
Both need to be fixed before this can actually close #1888. |
Signed-off-by: ilia-medvedev <ilia.medvedev@gong.io>
|
@mesutoezdil I've fixed the hostPID . as for the initContainer- it's cleaner to use the already existing parent value for it so using |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: archlitchi, ilia-medvedev The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Summary
hostPIDandhostNetworkon the device plugin DaemonSet pod spec are now values-configurable (defaults:true/false— unchanged from current behaviour)securityContextfor the maindevice-plugincontainer is now values-configurable (default:privileged: true,allowPrivilegeEscalation: true,SYS_ADMIN)securityContextfor thevgpu-monitorcontainer is now values-configurable (default:allowPrivilegeEscalation: false,SYS_ADMIN)gpuOperatorToolkitReady.securityContextfor the toolkit-validation init container is now values-configurable (default:privileged: true,runAsUser: 0)All defaults preserve the existing hardcoded values — this is a non-breaking change.
Motivation
Users deploying HAMi in environments with custom Pod Security Admission policies or restricted node configurations need to be able to tune these settings without patching the chart templates.
Through testing we found that not all security defaults — such as
privileged: trueandhostPID: true— are required for every use case. Making these configurable allows users to apply a least-privilege posture where their environment permits.Closes #1888
Related: #1143
Summary by CodeRabbit
New Features
Bug Fixes