Fix high-level trivy findings

This fixes the high-level trivy findings, and many of the mediums and the lows. Signed-off-by: Ukri Niemimuukko <[email protected]>
intel · Feb 26, 2024 · e02f456 · e02f456
1 parent 0bc3ab2
commit e02f456
Show file tree

Hide file tree

Showing 8 changed files with 140 additions and 1 deletion.
diff --git a/gpu-aware-scheduling/.golangci.yml b/gpu-aware-scheduling/.golangci.yml
@@ -14,7 +14,7 @@ linters-settings:
   gofmt:
     simplify: true
   gofumpt:
-    lang-version: "1.19"
+    lang-version: "1.21"
   golint:
     min-confidence: 0.9
   govet:

diff --git a/gpu-aware-scheduling/deploy/gas-deployment.yaml b/gpu-aware-scheduling/deploy/gas-deployment.yaml
@@ -26,6 +26,10 @@ spec:
         - "--burst=100"
         - "--qps=50"
         - "--v=4"
+        resources:
+          requests:
+            cpu: 100m
+            memory: 50Mi
         image: intel/gpu-extender
         imagePullPolicy: IfNotPresent
         securityContext:

diff --git a/gpu-aware-scheduling/docs/example/allowed_gpu_list.yaml b/gpu-aware-scheduling/docs/example/allowed_gpu_list.yaml
@@ -18,6 +18,9 @@ spec:
       labels:
         app: allow-gpu-list-example
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: &containername allow-gpu-list-example
         image: busybox:1.33.1
@@ -26,5 +29,18 @@ spec:
           value: *containername
         command: ['sh', '-c', 'echo $MY_CONTAINER_NAME && ls -ltr /dev/dri && sleep 6000']
         resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
           limits:
+            cpu: 100m
+            memory: 100Mi
             gpu.intel.com/i915: 1
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10001
+          runAsGroup: 10001
+          capabilities:
+            drop: [ "ALL" ]
diff --git a/gpu-aware-scheduling/docs/example/bb_example.yaml b/gpu-aware-scheduling/docs/example/bb_example.yaml
@@ -12,11 +12,27 @@ spec:
       labels:
         app: bb-example
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: bb-example
         image: busybox:1.33.1
         command: ['sh', '-c', 'echo The gpu resource request app is running! && sleep 6000']
         resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
           limits:
+            cpu: 100m
+            memory: 100Mi
             gpu.intel.com/i915: 1
             gpu.intel.com/millicores: 100
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10001
+          runAsGroup: 10001
+          capabilities:
+            drop: [ "ALL" ]
diff --git a/gpu-aware-scheduling/docs/example/memory_resource_example.yaml b/gpu-aware-scheduling/docs/example/memory_resource_example.yaml
@@ -12,6 +12,9 @@ spec:
       labels:
         app: memory-resource-example
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: &containername memory-resource-example
         image: busybox:1.33.1
@@ -20,6 +23,19 @@ spec:
           value: *containername
         command: ['sh', '-c', 'echo $MY_CONTAINER_NAME && ls -ltr /dev/dri && sleep 6000']
         resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
           limits:
+            cpu: 100m
+            memory: 100Mi
             gpu.intel.com/i915: 1
             gpu.intel.com/memory.max: 500M
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10001
+          runAsGroup: 10001
+          capabilities:
+            drop: [ "ALL" ]
diff --git a/gpu-aware-scheduling/docs/example/same-gpu-example.yaml b/gpu-aware-scheduling/docs/example/same-gpu-example.yaml
@@ -15,6 +15,9 @@ spec:
       #List containers that needs to be in same GPU
         gas-same-gpu: same-gpu-container1,same-gpu-container3
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: &container1 same-gpu-container1
         image: busybox:1.33.1
@@ -23,36 +26,88 @@ spec:
           value: *container1
         command: ['sh', '-c', 'echo $MY_CONTAINER_NAME && ls -ltr /dev/dri && sleep 6000']
         resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
           limits:
+            cpu: 100m
+            memory: 100Mi
             gpu.intel.com/i915: 1
             gpu.intel.com/millicores: 400
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10001
+          runAsGroup: 10001
+          capabilities:
+            drop: [ "ALL" ]
       - name: &container2 same-gpu-container2
         image: busybox:1.33.1
         env:
         - name: MY_CONTAINER_NAME
           value: *container2
         command: ['sh', '-c', 'echo $MY_CONTAINER_NAME && ls -ltr /dev/dri && sleep 6000']
         resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
           limits:
+            cpu: 100m
+            memory: 100Mi
             gpu.intel.com/i915: 1
             gpu.intel.com/millicores: 300
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10001
+          runAsGroup: 10001
+          capabilities:
+            drop: [ "ALL" ]
       - name: &container3 same-gpu-container3
         image: busybox:1.33.1
         env:
         - name: MY_CONTAINER_NAME
           value: *container3
         command: ['sh', '-c', 'echo $MY_CONTAINER_NAME && ls -ltr /dev/dri && sleep 6000']
         resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
           limits:
+            cpu: 100m
+            memory: 100Mi
             gpu.intel.com/i915: 1
             gpu.intel.com/millicores: 400
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10001
+          runAsGroup: 10001
+          capabilities:
+            drop: [ "ALL" ]
       - name: &container4 same-gpu-container4
         image: busybox:1.33.1
         env:
         - name: MY_CONTAINER_NAME
           value: *container4
         command: ['sh', '-c', 'echo $MY_CONTAINER_NAME && ls -ltr /dev/dri && sleep 6000']
         resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
           limits:
+            cpu: 100m
+            memory: 100Mi
             gpu.intel.com/i915: 1
             gpu.intel.com/millicores: 300
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10001
+          runAsGroup: 10001
+          capabilities:
+            drop: [ "ALL" ]
diff --git a/gpu-aware-scheduling/docs/example/tile_resource_request_example.yaml b/gpu-aware-scheduling/docs/example/tile_resource_request_example.yaml
@@ -12,6 +12,9 @@ spec:
       labels:
         app: tile-resource-request-example
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: &containername tile-resource-request-example
         image: busybox:1.33.1
@@ -20,6 +23,19 @@ spec:
           value: *containername
         command: ['sh', '-c', 'echo $MY_CONTAINER_NAME && ls -ltr /dev/dri && sleep 6000']
         resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
           limits:
+            cpu: 100m
+            memory: 100Mi
             gpu.intel.com/i915: 1
             gpu.intel.com/tiles: 1
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10001
+          runAsGroup: 10001
+          capabilities:
+            drop: [ "ALL" ]
diff --git a/gpu-aware-scheduling/docs/example/xe-link-example.yaml b/gpu-aware-scheduling/docs/example/xe-link-example.yaml
@@ -14,6 +14,9 @@ spec:
       annotations:
         gas-allocate-xelink: 'true'
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: &containername xe-link-example
         image: busybox:1.33.1
@@ -22,6 +25,19 @@ spec:
           value: *containername
         command: ['sh', '-c', 'echo $MY_CONTAINER_NAME && ls -ltr /dev/dri && sleep 6000']
         resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
           limits:
+            cpu: 100m
+            memory: 100Mi
             gpu.intel.com/i915: 2
             gpu.intel.com/tiles: 2
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10001
+          runAsGroup: 10001
+          capabilities:
+            drop: [ "ALL" ]