search

NVIDIA / k8s-nim-operator

An Operator for deployment and maintenance of NVIDIA NIMs and NeMo microservices in a Kubernetes environment.
https://docs.nvidia.com/nim-operator/latest
Apache License 2.0
58 stars 13 forks source link

Add orchestrator type specific spec for pods created by the operator #201

Closed shivamerla closed 3 weeks ago

shivamerla commented 3 weeks ago

For e.g. seccompprofile is a must for TKGS while not supported on OCP with the nonroot SCC

shivamerla commented 3 weeks ago

Error on TKGS if Seccomp Profile is not set

Warning ReconcileFailed 2s (x13 over 23s) nimcache-controller NIMCache nimcache1 reconcile failed, msg: pods "nimcache1-pod" is forbidden: violates PodSecurity "restricted:latest": seccompProfile (pod or container "nim-cache" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

However OCP doesn't like it.

ReconcileFailed 1s (x9 over 2s) nimcache-controller NIMCache meta-llama3-8b-instruct-a100-tp1 reconcile failed, msg: pods "meta-llama3-8b-instruct-a100-tp1-pod" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: Forbidden: seccomp may not be set, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/nim-cache-ctr]: Forbidden: seccomp may not be set,