NRI pod can't access the device /dev/isst_interface

[changzhi1990]

Hi, all.

Based on my testing about the sst feature in the topology-aware policy. I found that there some problems in the NRI pod.

The NRI pod can't find the /host/dev/isst_interface device.

After some research, I add these lines to the NRI daemonset.

Then, the NRI pod has no permission to access this device:

W0804 01:56:49.287017       1 system.go:297] failed to get SST info for package 0: failed to read SST PP info: Mbox command failed with failed to open isst device "/host/dev/isst_interface": open /host/dev/isst_interface: operation not permitted

After that, I noticed that there are some securitycontext in the daemonset file and I modified it:

I added the privileged: true into it and I commented the next two lines. At last, the NRI can access the sst device:

So does my approach was correct?

[marquiz]

Yes, looks about right. Running privileged should be an option (default to false) in the Helm chart

[changzhi1990]

Yes, looks about right. Running privileged should be an option (default to false) in the Helm chart

Do we need to create a pr to fix it?

[marquiz]

Do we need to create a pr to fix it?

Yes, we need that. Add new options to the Helm chart to enable privileged mode and mount the host-dev