Improve QAT+Apparmor case #1575

mythi · 2023-10-24T06:02:38Z

Since #381, we've known that adding

 annotations:
   container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined

for the QAT plugin daemonSet can be used to mitigate an issue where the plugin fails to initialize on an Apparmor enabled OS.

Triggered by #1571, I'm noticing the annotation setup is poorly documented so users are expected to run into the same problem

We have several ways to improve the case:

Add the annotation by default (it would be ignored on systems that don't have Apparmor but then we'd loose configurability)
Move dpdkDrv setup to initcontainer OR document how vfio-pci can be automatically made to probe QAT VFs (via ids module param)
Make the issue more visible in the docs.
...

The text was updated successfully, but these errors were encountered:

ozhuraki · 2023-11-03T12:16:02Z

Let's make this annotation default. If the confugurability is needed, the annotation can be dropped with the kustomization.

mythi · 2023-11-06T12:50:07Z

Let's make this annotation default. If the confugurability is needed, the annotation can be dropped with the kustomization.

I thought about making it default too but the problem is that with the operator it cannot be dropped because kustomization is not involved.

mythi added qat QAT device plugin related issue docs Documentation related issue labels Oct 24, 2023

mythi mentioned this issue Oct 30, 2023

qat: Add a note on plugin deployment with AppArmor #1576

Closed

mythi mentioned this issue Jan 10, 2024

qat: Add AppArmor unconfided anntotation configurability in the operator #1591

Merged

mythi closed this as completed in #1591 Jan 10, 2024

Provide feedback