Merge pull request #62529 from bergerhoffer/OSDOCS-6914-scalability

bergerhoffer · web-flow · commit 65ab87774b21 · 2024-02-28T15:10:07.000-05:00
OSDOCS 6914: Updating pod examples to comply with restricted PSA (Sca…
diff --git a/modules/cnf-configure_for_irq_dynamic_load_balancing.adoc b/modules/cnf-configure_for_irq_dynamic_load_balancing.adoc
@@ -49,6 +49,10 @@ metadata:
      irq-load-balancing.crio.io: "disable"
      cpu-quota.crio.io: "disable"
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: dynamic-irq-pod
     image: "registry.redhat.io/openshift4/cnf-tests-rhel8:v{product-version}"
@@ -60,10 +64,14 @@ spec:
       limits:
         cpu: 2
         memory: "200M"
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: [ALL]
   nodeSelector:
     node-role.kubernetes.io/worker-cnf: ""
   runtimeClassName: performance-dynamic-irq-profile
-...
+# ...
 ----
 
 . Enter the pod `runtimeClassName` in the form performance-<profile_name>, where <profile_name> is the `name` from the `PerformanceProfile` YAML, in this example, `performance-dynamic-irq-profile`.
@@ -176,4 +184,4 @@ find /proc/irq/ -name smp_affinity_list -exec sh -c 'i="$1"; mask=$(cat $i); fil
 /proc/irq/28/smp_affinity_list: 1
 /proc/irq/29/smp_affinity_list: 0
 /proc/irq/30/smp_affinity_list: 0-5
-----
+----
diff --git a/modules/cnf-provisioning-real-time-and-low-latency-workloads.adoc b/modules/cnf-provisioning-real-time-and-low-latency-workloads.adoc
@@ -173,6 +173,10 @@ metadata:
   name: qos-demo
   namespace: qos-example
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: qos-demo-ctr
     image: <image-pull-spec>
@@ -183,6 +187,10 @@ spec:
       requests:
         memory: "200Mi"
         cpu: "1"
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: [ALL]
 ----
 
 . Create the pod:
diff --git a/modules/setting-up-cpu-manager.adoc b/modules/setting-up-cpu-manager.adoc
@@ -116,6 +116,10 @@ kind: Pod
 metadata:
   generateName: cpumanager-
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: cpumanager
     image: gcr.io/google_containers/pause:3.2
@@ -126,6 +130,10 @@ spec:
       limits:
         cpu: 1
         memory: "1G"
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: [ALL]
   nodeSelector:
     cpumanager: "true"
 ----
