Disable hostNetwork with DCGM Exporter when embedded hostengine is used

parallelo · Dec 8, 2021 · 47319f1 · 47319f1
1 parent 42fdc42
commit 47319f1
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/assets/state-dcgm-exporter/0810_scc.openshift.yaml b/assets/state-dcgm-exporter/0810_scc.openshift.yaml
@@ -4,7 +4,7 @@
 #
 allowHostDirVolumePlugin: true
 allowHostIPC: false
-allowHostNetwork: true
+allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: true
 allowPrivilegeEscalation: true

diff --git a/assets/state-dcgm-exporter/0900_daemonset.yaml b/assets/state-dcgm-exporter/0900_daemonset.yaml
@@ -25,7 +25,6 @@ spec:
       priorityClassName: system-node-critical
       serviceAccount: nvidia-dcgm-exporter
       serviceAccountName: nvidia-dcgm-exporter
-      hostNetwork: true
       initContainers:
       - name: toolkit-validation
         image: "FILLED BY THE OPERATOR"

diff --git a/controllers/object_controls.go b/controllers/object_controls.go
@@ -876,6 +876,8 @@ func TransformDCGMExporter(obj *appsv1.DaemonSet, config *gpuv1.ClusterPolicySpe
 	}
 	// check if DCGM hostengine is enabled as a separate Pod and setup env accordingly
 	if config.DCGM.IsEnabled() {
+		// enable hostNetwork for communication with external DCGM using NODE_IP
+		obj.Spec.Template.Spec.HostNetwork = true
 		// set DCGM host engine env. NODE_IP will be substituted during pod runtime
 		dcgmHostPort := int32(DCGMDefaultHostPort)
 		if config.DCGM.HostPort != 0 {
@@ -2403,6 +2405,11 @@ func SecurityContextConstraints(n ClusterPolicyController) (gpuv1.State, error)
 		obj.AllowHostIPC = true
 	}
 
+	// Allow hostNetwork only when a separate standalone DCGM engine is deployed for communication
+	if obj.Name == "nvidia-dcgm-exporter" && n.singleton.Spec.DCGM.IsEnabled() {
+		obj.AllowHostNetwork = true
+	}
+
 	if err := controllerutil.SetControllerReference(n.singleton, obj, n.rec.Scheme); err != nil {
 		return gpuv1.NotReady, err
 	}