qat: Document AppArmor anntotation configurability in operatop deployments

ozhuraki · ozhuraki · commit 0c37ec5a67ee · 2023-11-14T20:55:40.000+02:00
Signed-off-by: Oleg Zhurakivskyy &lt;oleg.zhurakivskyy@intel.com&gt;
diff --git a/cmd/qat_plugin/README.md b/cmd/qat_plugin/README.md
@@ -148,6 +148,9 @@ When using the operator for deploying the plugin with provisioning config, use `
 
 There's also a possibility for a node specific congfiguration through passing a nodename via `NODE_NAME` into initcontainer's environment and passing a node specific profile (`qat-$NODE_NAME.conf`) via ConfigMap volume mount.
 
+CR annotations in [deviceplugin_v1_qatdeviceplugin.yaml](../../deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml) propagate to the DaemonSet annotations. In case AppArmor "unconfined" annotation needs to be dropped in the operator deployments (enabled by default), manually drop it from the CR sample.
+
+For non-operator plugin deployments such annotations can be dropped with the kustomization if required.
 
 ### Verify Plugin Registration
 
diff --git a/deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml b/deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml
@@ -2,12 +2,11 @@ apiVersion: deviceplugin.intel.com/v1
 kind: QatDevicePlugin
 metadata:
   name: qatdeviceplugin-sample
-  # example apparmor annotation
-  # see more details here:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
+  # see more details on AppArmor here:
   #  - https://kubernetes.io/docs/tutorials/clusters/apparmor/#securing-a-pod
   #  - https://github.com/intel/intel-device-plugins-for-kubernetes/issues/381
-  # annotations:
-  #   container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
 spec:
   image: intel/intel-qat-plugin:0.28.0
   initImage: intel/intel-qat-initcontainer:0.28.0
diff --git a/deployments/qat_plugin/base/intel-qat-plugin.yaml b/deployments/qat_plugin/base/intel-qat-plugin.yaml
@@ -4,6 +4,8 @@ metadata:
   name: intel-qat-plugin
   labels:
     app: intel-qat-plugin
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
 spec:
   selector:
     matchLabels:
@@ -12,6 +14,8 @@ spec:
     metadata:
       labels:
         app: intel-qat-plugin
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
     spec:
       automountServiceAccountToken: false
       containers:
diff --git a/pkg/controllers/qat/controller_test.go b/pkg/controllers/qat/controller_test.go
@@ -39,6 +39,12 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 	no := false
 	pluginAnnotations := devicePlugin.ObjectMeta.DeepCopy().Annotations
 
+	if pluginAnnotations == nil {
+		pluginAnnotations = make(map[string]string)
+	}
+
+	pluginAnnotations["container.apparmor.security.beta.kubernetes.io/intel-qat-plugin"] = "unconfined"
+
 	daemonSet := apps.DaemonSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "DaemonSet",
