fix: add security context for hypervisor (#285)

Author: Code2Life

internal/constants/env.go

@@ -121,6 +121,9 @@ const (
 	HypervisorMetricsExtraLabelsEnv = "TF_HYPERVISOR_METRICS_EXTRA_LABELS"
 	HypervisorDetectUsedGPUEnv      = "DETECT_IN_USED_GPUS"
 
+	// Add ptrace capability to hypervisor container, to trace all host PID using GPU
+	SystemPtraceCapability = "SYS_PTRACE"
+
 	HypervisorDefaultPortNumber int32  = 8000
 	HypervisorPortName          string = "http"
 

internal/utils/compose.go

@@ -386,6 +386,14 @@ func composeHypervisorContainer(spec *v1.PodSpec, pool *tfv1.GPUPool) {
 		MountPath: constants.KubeletDevicePluginPath,
 	})
 
+	spec.Containers[0].SecurityContext = &v1.SecurityContext{
+		Capabilities: &v1.Capabilities{
+			Add: []v1.Capability{
+				constants.SystemPtraceCapability,
+			},
+		},
+	}
+
 	port := getHypervisorPortNumber(pool.Spec.ComponentConfig.Hypervisor)
 	spec.ServiceAccountName = constants.HypervisorServiceAccountName
 	spec.Containers[0].Env = append(spec.Containers[0].Env, v1.EnvVar{