Merge pull request #72342 from openshift-cherrypick-robot/cherry-pick-62529-to-enterprise-4.16

[enterprise-4.16] OSDOCS 6914: Updating pod examples to comply with restricted PSA (Sca…
2026-02-05 12:46:18 +01:00 · 2024-02-28 15:17:31 -05:00
parent 6625c28cd1 c7654bde2c
commit a3b664843d
3 changed files with 26 additions and 2 deletions
--- a/modules/cnf-configure_for_irq_dynamic_load_balancing.adoc
+++ b/modules/cnf-configure_for_irq_dynamic_load_balancing.adoc
@@ -49,6 +49,10 @@ metadata:
     irq-load-balancing.crio.io: "disable"
     cpu-quota.crio.io: "disable"
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
  containers:
  - name: dynamic-irq-pod
    image: "registry.redhat.io/openshift4/cnf-tests-rhel8:v{product-version}"
@@ -60,10 +64,14 @@ spec:
      limits:
        cpu: 2
        memory: "200M"
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: [ALL]
  nodeSelector:
    node-role.kubernetes.io/worker-cnf: ""
  runtimeClassName: performance-dynamic-irq-profile
-...
+# ...
 ----

 . Enter the pod `runtimeClassName` in the form performance-<profile_name>, where <profile_name> is the `name` from the `PerformanceProfile` YAML, in this example, `performance-dynamic-irq-profile`.
@@ -176,4 +184,4 @@ find /proc/irq/ -name smp_affinity_list -exec sh -c 'i="$1"; mask=$(cat $i); fil
 /proc/irq/28/smp_affinity_list: 1
 /proc/irq/29/smp_affinity_list: 0
 /proc/irq/30/smp_affinity_list: 0-5
----
+----
--- a/modules/cnf-provisioning-real-time-and-low-latency-workloads.adoc
+++ b/modules/cnf-provisioning-real-time-and-low-latency-workloads.adoc
@@ -173,6 +173,10 @@ metadata:
  name: qos-demo
  namespace: qos-example
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
  containers:
  - name: qos-demo-ctr
    image: <image-pull-spec>
@@ -183,6 +187,10 @@ spec:
      requests:
        memory: "200Mi"
        cpu: "1"
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: [ALL]
 ----

 . Create the pod:
--- a/modules/setting-up-cpu-manager.adoc
+++ b/modules/setting-up-cpu-manager.adoc
@@ -116,6 +116,10 @@ kind: Pod
 metadata:
  generateName: cpumanager-
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
  containers:
  - name: cpumanager
    image: gcr.io/google_containers/pause:3.2
@@ -126,6 +130,10 @@ spec:
      limits:
        cpu: 1
        memory: "1G"
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: [ALL]
  nodeSelector:
    cpumanager: "true"
 ----