config: add rke2 config to improve the device permission

Vicente-Cheng · Vicente-Cheng · commit dd139f8bc7a1 · 2025-03-06T12:59:46.000+08:00
- we need to set `device_ownership_from_security_context` to true

Signed-off-by: Vicente Cheng &lt;vicente.cheng@suse.com&gt;
diff --git a/pkg/config/cos.go b/pkg/config/cos.go
@@ -363,6 +363,21 @@ func initRancherdStage(config *HarvesterConfig, stage *yipSchema.Stage) error {
 		)
 	}
 
+	// RKE2 settings of device permissions (device_ownership_from_security_context)
+	rke2DeviceOwnershipConfig, err := render("rke2-91-harvester-cdi.yaml", config)
+	if err != nil {
+		return err
+	}
+	stage.Files = append(stage.Files,
+		yipSchema.File{
+			Path:        "/etc/rancher/rke2/config.yaml.d/91-harvester-cdi.yaml",
+			Content:     rke2DeviceOwnershipConfig,
+			Permissions: 0600,
+			Owner:       0,
+			Group:       0,
+		},
+	)
+
 	// RKE2 settings of kube-audit
 	rke2KubeAuditConfig, err := render("rke2-92-harvester-kube-audit-policy.yaml", config)
 	if err != nil {
diff --git a/pkg/config/templates/rke2-91-harvester-cdi.yaml b/pkg/config/templates/rke2-91-harvester-cdi.yaml
@@ -0,0 +1,2 @@
+# handle the permission issue of Longhorn for CDI
+"nonroot-devices": true

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# handle the permission issue of Longhorn for CDI`
	`2`	`+"nonroot-devices": true`