qat: Document AppArmor anntotation configurability in operatop deployments

ozhuraki · ozhuraki · commit 7029aecb73f3 · 2023-11-15T13:55:04.000+02:00
Signed-off-by: Oleg Zhurakivskyy &lt;oleg.zhurakivskyy@intel.com&gt;
diff --git a/cmd/qat_plugin/README.md b/cmd/qat_plugin/README.md
@@ -148,6 +148,9 @@ When using the operator for deploying the plugin with provisioning config, use `
 
 There's also a possibility for a node specific congfiguration through passing a nodename via `NODE_NAME` into initcontainer's environment and passing a node specific profile (`qat-$NODE_NAME.conf`) via ConfigMap volume mount.
 
+CR annotations in [deviceplugin_v1_qatdeviceplugin.yaml](../../deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml) propagate to the DaemonSet annotations. By default, the operator based deployment sets AppArmor policy to `"unconfined"` but this can be overridden by setting the AppArmor annotation to a new value in the CR annotations.
+
+For non-operator plugin deployments such annotations can be dropped with the kustomization if required.
 
 ### Verify Plugin Registration
 
diff --git a/deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml b/deployments/operator/samples/deviceplugin_v1_qatdeviceplugin.yaml
@@ -2,12 +2,11 @@ apiVersion: deviceplugin.intel.com/v1
 kind: QatDevicePlugin
 metadata:
   name: qatdeviceplugin-sample
-  # example apparmor annotation
-  # see more details here:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
+  # see more details on AppArmor here:
   #  - https://kubernetes.io/docs/tutorials/clusters/apparmor/#securing-a-pod
   #  - https://github.com/intel/intel-device-plugins-for-kubernetes/issues/381
-  # annotations:
-  #   container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
 spec:
   image: intel/intel-qat-plugin:0.28.0
   initImage: intel/intel-qat-initcontainer:0.28.0
diff --git a/deployments/qat_plugin/base/intel-qat-plugin.yaml b/deployments/qat_plugin/base/intel-qat-plugin.yaml
@@ -4,6 +4,8 @@ metadata:
   name: intel-qat-plugin
   labels:
     app: intel-qat-plugin
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
 spec:
   selector:
     matchLabels:
@@ -12,6 +14,8 @@ spec:
     metadata:
       labels:
         app: intel-qat-plugin
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
     spec:
       automountServiceAccountToken: false
       containers:
diff --git a/pkg/controllers/qat/controller_test.go b/pkg/controllers/qat/controller_test.go
@@ -164,9 +164,16 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 func TestNewDaemonSetQAT(t *testing.T) {
 	c := &controller{}
 
-	plugin := &devicepluginv1.QatDevicePlugin{}
+	plugin := &devicepluginv1.QatDevicePlugin{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				"container.apparmor.security.beta.kubernetes.io/intel-qat-plugin": "unconfined",
+			},
+		},
+	}
 	plugin.Name = "testing"
 	plugin.Spec.InitImage = "intel/intel-qat-initcontainer:" + controllers.ImageMinVersion.String()
+
 	expected := c.newDaemonSetExpected(plugin)
 	actual := c.NewDaemonSet(plugin)
 
