Run as nonRoot and set automountServiceAccountToken to false

[ethan-young-vgm]

We have implemented GPU Operator on our AKS cluster, and it is working great.
Few issues though. Azure is lighting up with high security vulnerabilities due to running the containers as root and auto mounting the service account token to the container.

We have already fixed these issues for everything else and even had to switch Kafka helm chart providers...
I don't see an option in GPU Operator's helm chart to configure these two settings.

I know this is not just on AKS as I saw others from other cloud providers saying the same with other helm charts, so my question is, will this be added in the future or is this even something that can be done with GPU Operator?

[elezar]

@shivamerla is this related to our discussion yesterday?

[caiobegotti]

hey folks 👋 not just about running as non-root but i'm wondering what would be needed/exempted from a spec like below for the gpu-operator?

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  privileged: false
  seccompProfile:
    type: RuntimeDefault

i understand it may need certain capabilities etc but i don't which ones to whitelist or something else the gpu-operator needs that requires some root-level of access

[doc]

Any update on this issue?

[github-actions]

This issue is stale because it has been open 90 days with no activity. This issue will be closed in 30 days unless new comments are made or the stale label is removed. To skip these checks, apply the "lifecycle/frozen" label.

[cdesiniotis]

I don't see an option in GPU Operator's helm chart to configure these two settings.

@ethan-young-vgm can you clarify which exact components you are looking to configure these options for? Just the gpu-operator deployment? Or also all the other daemonsets that get deployed? Note, most of our daemonsets need to run with elevated privileges to function, so it is not technically feasible to run them as a non-root user.