Fix SCC for OCP v0.9 (#562)

* Added scc for kai deployments

Author: itsomri

CHANGELOG.md

@@ -6,8 +6,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
 
+## [v0.9.5] - 20250-10-09
+
+### Added
+- Support DRA in kubernetes 1.34
+
 ### Fixed
 - Fixed a bug where the scheduler would not re-try updating podgroup status after failure
+- Added missing SCC for Openshift installations
 
 ## [v0.9.1] - 20250-09-15
 

Makefile

@@ -33,6 +33,10 @@ $(SERVICE_NAMES):
 	$(MAKE) build-go SERVICE_NAME=$@
 	$(MAKE) docker-build-generic SERVICE_NAME=$@
 
+.PHONY: push
+push: $(SERVICE_NAMES)
+	docker push $(DOCKER_REPO_BASE)/crd-upgrader:$(VERSION)
+
 .PHONY: validate
 validate: generate manifests clients gen-license generate-mocks lint
 	git diff --exit-code

deployments/kai-scheduler/templates/crd-upgrader.yaml

@@ -12,13 +12,35 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded
 spec:
   template:
+    metadata:
+      {{- if (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "clusterversions.config.openshift.io") }}
+      annotations:
+        openshift.io/scc: kai-system
+      {{- else }}
+      labels:
+        app: crd-upgrader
+      {{- end }}
     spec:
       serviceAccountName: kai-scheduler-crd-manager
+      {{- if (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "clusterversions.config.openshift.io") }}
+      securityContext:
+        runAsUser: 10000
+        runAsNonRoot: true
+        fsGroup: 10000
+      {{- end }}
       containers:
       - name: upgrader
         image: "{{ .Values.global.registry }}/{{ .Values.crdupgrader.image.name }}:{{ .Chart.Version }}"
         imagePullPolicy: {{ .Values.crdupgrader.image.pullPolicy }}
-        {{- if .Values.global.securityContext }}
+        {{- if (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "clusterversions.config.openshift.io") }}
+        securityContext:
+          runAsUser: 10000
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        {{- else if .Values.global.securityContext }}
         securityContext:
           {{- toYaml .Values.global.securityContext | nindent 10 }}
         {{- end }}

deployments/kai-scheduler/templates/kai-config.yaml

@@ -6,6 +6,9 @@ kind: Config
 metadata:
   name: kai-config
   namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "3"
 spec:
   namespace: {{ .Release.Namespace }}
   global:

deployments/kai-scheduler/templates/rbac/scc.yaml

@@ -0,0 +1,133 @@
+# Copyright 2025 NVIDIA CORPORATION
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "clusterversions.config.openshift.io") }}
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: kai-system
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-1"
+    "helm.sh/hook-delete-policy": before-hook-creation
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+defaultAddCapabilities: null
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: 1
+readOnlyRootFilesystem: false
+requiredDropCapabilities: null
+runAsUser:
+  type: MustRunAs
+  uid: 10000
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+users:
+- system:serviceaccount:{{ .Release.Namespace }}:admission
+- system:serviceaccount:{{ .Release.Namespace }}:binder
+- system:serviceaccount:{{ .Release.Namespace }}:kai-operator
+- system:serviceaccount:{{ .Release.Namespace }}:pod-grouper
+- system:serviceaccount:{{ .Release.Namespace }}:podgroup-controller
+- system:serviceaccount:{{ .Release.Namespace }}:queue-controller
+- system:serviceaccount:{{ .Release.Namespace }}:scheduler
+- system:serviceaccount:{{ .Release.Namespace }}:node-scale-adjuster
+- system:serviceaccount:{{ .Release.Namespace }}:kai-scheduler-crd-manager
+volumes:
+- awsElasticBlockStore
+- azureDisk
+- azureFile
+- cephFS
+- cinder
+- configMap
+- csi
+- downwardAPI
+- emptyDir
+- ephemeral
+- fc
+- flexVolume
+- flocker
+- gcePersistentDisk
+- gitRepo
+- glusterfs
+- iscsi
+- nfs
+- persistentVolumeClaim
+- photonPersistentDisk
+- portworxVolume
+- projected
+- quobyte
+- rbd
+- scaleIO
+- secret
+- storageOS
+- vsphere
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kai-system-scc
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-1"
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - kai-system
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kai-system-scc
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-1"
+    "helm.sh/hook-delete-policy": before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kai-system-scc
+subjects:
+  - kind: ServiceAccount
+    name: admission
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: binder
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: kai-operator
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: pod-grouper
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: podgroup-controller
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: queue-controller
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: scheduler
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: node-scale-adjuster
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: kai-scheduler-crd-manager
+    namespace: {{ .Release.Namespace }}
+{{- end }}