Add Openshift SCC handling#36
Open
tkatila wants to merge 2 commits into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds OpenShift-specific support for running GPU Base Operator managed workloads under OpenShift SCC constraints, including creating SCC/RBAC resources and setting pod security context (SELinux spc_t) and ServiceAccounts where needed.
Changes:
- Add OpenShift SCC helper utilities (SCC builders + create/cleanup helpers) and wire them into DP, XPUM, DRA, and FW Update reconcilers.
- Extend RBAC to allow managing OpenShift SCCs and adjust controller/Helm operator resource requests/limits.
- Add/extend controller tests to cover SCC helpers, OpenShift reconciliation paths, and a few unrelated edge cases (log-level mapping, Prometheus reconciliation).
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/controller/xpumanager_controller.go | Ensures XPUM SCC/RBAC/SA on OpenShift and applies spc_t + SA to the DaemonSet. |
| internal/controller/xpumanager_controller_test.go | Adds tests for log level mapping used by XPUM OTel config. |
| internal/controller/suite_test.go | Adds an additional CRDDirectoryPaths entry intended for OpenShift SCC testing. |
| internal/controller/openshift.go | Introduces SCC builders and ensure/create/delete helpers (SCC, SA, ClusterRole, ClusterRoleBinding). |
| internal/controller/openshift_test.go | Adds envtest coverage for SCC helper functions. |
| internal/controller/misc_controller_test.go | Adds tests for nil ClusterPolicy and “already absent” Prometheus removal behavior. |
| internal/controller/gpufirmwareupdate_controller.go | Ensures FW-update SCC/RBAC/SA on OpenShift and sets Job SA; cleans up on finalizer. |
| internal/controller/dra_controller.go | Adds OpenShift SCC/RBAC creation and cleanup during DRA lifecycle; sets spc_t for SELinux. |
| internal/controller/dra_controller_test.go | Adds OpenShift reconciliation tests for DRA SCC resources and cleanup when switching modes. |
| internal/controller/deviceplugin_controller.go | Ensures DP SCC/RBAC/SA on OpenShift and sets DaemonSet ServiceAccountName; cleans up on removal. |
| internal/controller/deviceplugin_controller_test.go | Adds OpenShift reconciliation tests for DP + XPUM SCC resources and DaemonSet SA names. |
| internal/controller/clusterpolicy_controller.go | Adds OpenShift SCC RBAC markers; improves deletion finalizer update handling and status error trimming safety. |
| config/rbac/role.yaml | Grants SCC CRUD/use and expands clusterrole/clusterrolebinding verbs. |
| config/rbac/namespaced_role.yaml | Adds watch for ServiceAccounts. |
| config/manager/manager.yaml | Updates controller-manager resource requests/limits. |
| charts/gpu-base-operator/values.yaml | Updates default operator resource requests/limits in Helm values. |
| charts/gpu-base-operator/templates/role.yaml | Mirrors RBAC updates for Helm install. |
| charts/gpu-base-operator/templates/namespaced_role.yaml | Mirrors namespaced role watch update for Helm install. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tkatila
force-pushed
the
openshift-scc-handling
branch
from
5e0a2d7 to
9a7fd52
Compare
pfl
reviewed
Jun 18, 2026
pfl
reviewed
Jun 18, 2026
tkatila
force-pushed
the
openshift-scc-handling
branch
3 times, most recently
from
cc5988a to
0cda3af
Compare
Setup roles, RBs and SCCs when in OpenShift deployment. Define SCC profiles for each deployment. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
tkatila
force-pushed
the
openshift-scc-handling
branch
from
0cda3af to
2904ede
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.