NVIDIA · arthur-r-oliveira · May 27, 2024 · May 27, 2024 · May 27, 2024 · May 29, 2024
diff --git a/deployments/helm/nvidia-device-plugin/templates/role-binding.yml b/deployments/helm/nvidia-device-plugin/templates/role-binding.yml
@@ -14,4 +14,22 @@ roleRef:
   kind: ClusterRole
   name: {{ include "nvidia-device-plugin.fullname" . }}-role
   apiGroup: rbac.authorization.k8s.io
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "nvidia-device-plugin.fullname" . }}-role-binding
+  namespace: {{ include "nvidia-device-plugin.namespace" . }}
+  labels:
+    {{- include "nvidia-device-plugin.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "nvidia-device-plugin.fullname" . }}-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "nvidia-device-plugin.fullname" . }}-service-account
+    namespace: {{ include "nvidia-device-plugin.namespace" . }}
+{{- end }}
 {{- end }}
diff --git a/deployments/helm/nvidia-device-plugin/templates/role.yml b/deployments/helm/nvidia-device-plugin/templates/role.yml
@@ -10,9 +10,41 @@ rules:
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["get", "list", "watch"]
+  {{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - privileged
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+  {{- end }}
   {{- if and .Values.gfd.enabled .Values.nfd.enableNodeFeatureApi }}
   - apiGroups: ["nfd.k8s-sigs.io"]
     resources: ["nodefeatures"]
     verbs: ["get", "list", "watch", "create", "update"]
   {{- end }}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "nvidia-device-plugin.fullname" . }}-role
+  namespace: {{ include "nvidia-device-plugin.namespace" . }}
+  labels:
+    {{- include "nvidia-device-plugin.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: 
+      - security.openshift.io
+    resourceNames:
+      - privileged
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+  {{- end }}
 {{- end }}
diff --git a/deployments/helm/nvidia-device-plugin/values.yaml b/deployments/helm/nvidia-device-plugin/values.yaml
@@ -149,4 +149,4 @@ mps:
   # be created. This includes a daemon-specific /dev/shm and pipe and log
   # directories.
   # Pipe directories will be created at {{ mps.root }}/{{ .ResourceName }}
-  root: "/run/nvidia/mps"
+  root: "/run/nvidia/mps"