Remove RunAsAny (root) for qatlib container

[vbedida79]

Summary

Currently qatlib workload runs with custom SCC using IPC_LOCK and root permissions

Detail

qatlib workload needs IPC_LOCK permission, added via custom SCC based on restricted-v2 default SCC. The container also needs to run as root according to qatlib doc. This is added with RunAsAny permission in custom SCC. This also enables container to access devices as root

Possible solutions

1. To avoid access to host devices as root, follow https://github.com/intel/intel-technology-enabling-for-openshift/issues/35. Figure how to enable CRIO flag for every host. Possibly via privileged container daemonset.
2. Possibility to run qatlib container as non-root or a specific user?

[mythi]

The container also needs to run as root according to qatlib doc.

qatlib docs are not valid in containers space (host groups and gids are not directly applicable). Read my blog. It describes the problems and solution.

Figure how to enable CRIO flag for every host.

I'd submit a feature request to OCP to have that flag available in MCO. At least to trigger the conversation. This flag is universal to all devices, not just QAT specific.

[mythi]

I'd submit a feature request to OCP to have that flag available in MCO. At least to trigger the conversation. This flag is universal to all devices, not just QAT specific.

Via ContainerRuntimeConfig CR: https://docs.openshift.com/container-platform/4.13/post_installation_configuration/machine-configuration-tasks.html#create-a-containerruntimeconfig_post-install-machine-configuration-tasks