From 07b7da1873df914c0abd2b8e2bdbeb4678ea7472 Mon Sep 17 00:00:00 2001 From: Pavel Sofronii Date: Tue, 12 Nov 2024 12:22:43 +0100 Subject: [PATCH 1/2] MSP-3281 add codowners, rm review action --- .github/workflows/auto-assign-review.yml | 21 --------------------- .github/workflows/one_job.yml | 1 + CODEOWNERS | 2 ++ 3 files changed, 3 insertions(+), 21 deletions(-) delete mode 100644 .github/workflows/auto-assign-review.yml create mode 100644 CODEOWNERS diff --git a/.github/workflows/auto-assign-review.yml b/.github/workflows/auto-assign-review.yml deleted file mode 100644 index fb8d0348..00000000 --- a/.github/workflows/auto-assign-review.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: 'Auto Assign reviewers' -on: - pull_request: - types: [opened, ready_for_review] - -permissions: - contents: read - -jobs: - add-reviews: - permissions: - contents: read # for kentaro-m/auto-assign-action to fetch config file - pull-requests: write # for kentaro-m/auto-assign-action to assign PR reviewers - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 - with: - egress-policy: audit - - - uses: kentaro-m/auto-assign-action@f4648c0a9fdb753479e9e75fc251f507ce17bb7e # v2.0.0 diff --git a/.github/workflows/one_job.yml b/.github/workflows/one_job.yml index 25e1332f..b74f6863 100644 --- a/.github/workflows/one_job.yml +++ b/.github/workflows/one_job.yml @@ -5,6 +5,7 @@ on: paths-ignore: - '.github/**' - 'docs/**' + - 'CODEOWNERS' - 'LICENSE' - 'PROJECT' - 'README.md' diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 00000000..71ee9435 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,2 @@ +# Global code owners (applies to the whole repo) +* @dstaroff @asteny @rdjjke @Uburro From b882c51cc12d09c5f5a3b88f6dc610cbdc0a4093 Mon Sep 17 00:00:00 2001 From: Grigorii Rochev <31252905+Uburro@users.noreply.github.com> Date: Tue, 12 Nov 2024 15:41:22 +0100 Subject: [PATCH 2/2] MSP-2609: fix secret templating and appapormor populatejail (#176) * MSP-2609: fix secret templating * fix bug with populatejail * fix helm chart * fix bug NCCLBenchmark appapparmor test --- VERSION | 2 +- api/v1/slurmcluster_types.go | 14 +++++++- .../bases/slurm.nebius.ai_slurmclusters.yaml | 34 ++++++++++++------- config/manager/kustomization.yaml | 2 +- config/manager/manager.yaml | 2 +- helm/slurm-cluster-storage/Chart.yaml | 4 +-- helm/slurm-cluster/Chart.yaml | 4 +-- .../templates/slurm-cluster-cr.yaml | 3 +- helm/slurm-cluster/values.yaml | 24 ++++++------- helm/soperator-crds/Chart.yaml | 4 +-- .../templates/slurmcluster-crd.yaml | 34 ++++++++++++------- helm/soperator/Chart.yaml | 4 +-- helm/soperator/crds/slurmcluster-crd.yaml | 34 ++++++++++++------- helm/soperator/values.yaml | 2 +- internal/consts/version.go | 2 +- internal/values/slurm_jail.go | 8 +++-- internal/values/slurm_periodic_checks.go | 8 +++-- 17 files changed, 117 insertions(+), 68 deletions(-) diff --git a/VERSION b/VERSION index ace44233..42cf0675 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.15.1 +1.15.2 diff --git a/api/v1/slurmcluster_types.go b/api/v1/slurmcluster_types.go index bb30d619..ca21ba5b 100644 --- a/api/v1/slurmcluster_types.go +++ b/api/v1/slurmcluster_types.go @@ -134,6 +134,12 @@ type PopulateJail struct { // +kubebuilder:validation:Optional // +kubebuilder:default=false Overwrite bool `json:"overwrite"` + + // AppArmorProfile defines the AppArmor profile for the Slurm node + // + // +kubebuilder:validation:Optional + // +kubebuilder:default="unconfined" + AppArmorProfile string `json:"appArmorProfile,omitempty"` } // PeriodicChecks define the k8s CronJobs performing cluster checks @@ -204,6 +210,12 @@ type NCCLBenchmark struct { // // +kubebuilder:validation:Required K8sNodeFilterName string `json:"k8sNodeFilterName"` + + // AppArmorProfile defines the AppArmor profile for the Slurm node + // + // +kubebuilder:validation:Optional + // +kubebuilder:default="unconfined" + AppArmorProfile string `json:"appArmorProfile,omitempty"` } // NCCLArguments define nccl settings for periodic nccl benchmark @@ -749,7 +761,7 @@ type NodeContainer struct { // +kubebuilder:validation:Optional SecurityLimitsConfig string `json:"securityLimitsConfig,omitempty"` - // AppArmorProfile defines the AppArmor profile for the Slurm worker node + // AppArmorProfile defines the AppArmor profile for the Slurm containers // // +kubebuilder:validation:Optional // +kubebuilder:default="unconfined" diff --git a/config/crd/bases/slurm.nebius.ai_slurmclusters.yaml b/config/crd/bases/slurm.nebius.ai_slurmclusters.yaml index a0efa74d..3168663f 100644 --- a/config/crd/bases/slurm.nebius.ai_slurmclusters.yaml +++ b/config/crd/bases/slurm.nebius.ai_slurmclusters.yaml @@ -1123,6 +1123,11 @@ spec: in seconds format: int64 type: integer + appArmorProfile: + default: unconfined + description: AppArmorProfile defines the AppArmor profile + for the Slurm node + type: string enabled: default: true description: Enabled defines whether the CronJob should be @@ -1219,6 +1224,11 @@ spec: description: PopulateJail defines the k8s Job that performs initial jail file system population properties: + appArmorProfile: + default: unconfined + description: AppArmorProfile defines the AppArmor profile for + the Slurm node + type: string image: description: Image defines the populate jail container image type: string @@ -1524,7 +1534,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string enabled: type: boolean @@ -8289,7 +8299,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -8376,7 +8386,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -8532,7 +8542,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -8579,7 +8589,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9072,7 +9082,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9123,7 +9133,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9612,7 +9622,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9664,7 +9674,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9993,7 +10003,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -10057,7 +10067,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -10103,7 +10113,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index ba2f433b..cd823482 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -3,4 +3,4 @@ resources: images: - name: controller newName: cr.eu-north1.nebius.cloud/soperator/slurm-operator - newTag: 1.15.1 + newTag: 1.15.2 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 58151276..c02bbb6b 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -82,7 +82,7 @@ spec: value: "false" - name: SLURM_OPERATOR_WATCH_NAMESPACES value: "*" - image: controller:1.15.1 + image: controller:1.15.2 imagePullPolicy: Always name: manager securityContext: diff --git a/helm/slurm-cluster-storage/Chart.yaml b/helm/slurm-cluster-storage/Chart.yaml index 4d93a49b..e81c0df0 100644 --- a/helm/slurm-cluster-storage/Chart.yaml +++ b/helm/slurm-cluster-storage/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: helm-slurm-cluster-storage description: A Helm chart for Kubernetes type: application -version: "1.15.1" -appVersion: "1.15.1" +version: "1.15.2" +appVersion: "1.15.2" diff --git a/helm/slurm-cluster/Chart.yaml b/helm/slurm-cluster/Chart.yaml index 24c31d75..04c08b60 100644 --- a/helm/slurm-cluster/Chart.yaml +++ b/helm/slurm-cluster/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: helm-slurm-cluster description: A Helm chart for Kubernetes type: application -version: "1.15.1" -appVersion: "1.15.1" +version: "1.15.2" +appVersion: "1.15.2" diff --git a/helm/slurm-cluster/templates/slurm-cluster-cr.yaml b/helm/slurm-cluster/templates/slurm-cluster-cr.yaml index 567f0589..df737446 100644 --- a/helm/slurm-cluster/templates/slurm-cluster-cr.yaml +++ b/helm/slurm-cluster/templates/slurm-cluster-cr.yaml @@ -40,8 +40,7 @@ spec: - name: {{ .name | quote }} {{- omit . "name" | toYaml | nindent 6 }} {{- end }} - secrets: - sshdKeysName: {{ include "slurm-cluster.secret.sshdKeysName" . }} + secrets: {{ toYaml .Values.secrets | nindent 4 }} populateJail: image: {{ required "populateJail image" .Values.images.populateJail | quote }} imagePullPolicy: {{ default "IfNotPresent" .Values.populateJail.imagePullPolicy | quote }} diff --git a/helm/slurm-cluster/values.yaml b/helm/slurm-cluster/values.yaml index 05d69e4c..4ff5ed4f 100644 --- a/helm/slurm-cluster/values.yaml +++ b/helm/slurm-cluster/values.yaml @@ -61,9 +61,9 @@ volumeSources: # readOnly: false # Secret references needed for Slurm cluster operation -secrets: - # Secret reference required for login sshd. If secret name empty - operator generate own secret with keys - sshdKeysName: "" +secrets: {} +# Secret reference required for login sshd. If secret name empty - operator generate own secret with keys +# sshdKeysName: "" # Job performing initial jail file system population populateJail: imagePullPolicy: "IfNotPresent" @@ -380,13 +380,13 @@ telemetry: {} # otelCollectorPort: 8429 images: - slurmctld: "cr.eu-north1.nebius.cloud/soperator/controller_slurmctld:1.15.1-jammy-slurm24.05.2" - slurmrestd: "cr.eu-north1.nebius.cloud/soperator/slurmrestd:1.15.1-jammy-slurm24.05.2" - slurmd: "cr.eu-north1.nebius.cloud/soperator/worker_slurmd:1.15.1-jammy-slurm24.05.2" - sshd: "cr.eu-north1.nebius.cloud/soperator/login_sshd:1.15.1-jammy-slurm24.05.2" - munge: "cr.eu-north1.nebius.cloud/soperator/munge:1.15.1-jammy-slurm24.05.2" - populateJail: "cr.eu-north1.nebius.cloud/soperator/populate_jail:1.15.1-jammy-slurm24.05.2" - ncclBenchmark: "cr.eu-north1.nebius.cloud/soperator/nccl_benchmark:1.15.1-jammy-slurm24.05.2" - slurmdbd: "cr.eu-north1.nebius.cloud/soperator/controller_slurmdbd:1.15.1-jammy-slurm24.05.2" - exporter: "cr.eu-north1.nebius.cloud/soperator/exporter:1.15.1-jammy-slurm24.05.2" + slurmctld: "cr.eu-north1.nebius.cloud/soperator/controller_slurmctld:1.15.2-jammy-slurm24.05.2" + slurmrestd: "cr.eu-north1.nebius.cloud/soperator/slurmrestd:1.15.2-jammy-slurm24.05.2" + slurmd: "cr.eu-north1.nebius.cloud/soperator/worker_slurmd:1.15.2-jammy-slurm24.05.2" + sshd: "cr.eu-north1.nebius.cloud/soperator/login_sshd:1.15.2-jammy-slurm24.05.2" + munge: "cr.eu-north1.nebius.cloud/soperator/munge:1.15.2-jammy-slurm24.05.2" + populateJail: "cr.eu-north1.nebius.cloud/soperator/populate_jail:1.15.2-jammy-slurm24.05.2" + ncclBenchmark: "cr.eu-north1.nebius.cloud/soperator/nccl_benchmark:1.15.2-jammy-slurm24.05.2" + slurmdbd: "cr.eu-north1.nebius.cloud/soperator/controller_slurmdbd:1.15.2-jammy-slurm24.05.2" + exporter: "cr.eu-north1.nebius.cloud/soperator/exporter:1.15.2-jammy-slurm24.05.2" mariaDB: "docker-registry1.mariadb.com/library/mariadb:11.4.3" diff --git a/helm/soperator-crds/Chart.yaml b/helm/soperator-crds/Chart.yaml index 943bd773..afedf6c1 100644 --- a/helm/soperator-crds/Chart.yaml +++ b/helm/soperator-crds/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: helm-soperator-crds description: A Helm chart for Kubernetes type: application -version: 1.15.1 -appVersion: "1.15.1" +version: 1.15.2 +appVersion: "1.15.2" diff --git a/helm/soperator-crds/templates/slurmcluster-crd.yaml b/helm/soperator-crds/templates/slurmcluster-crd.yaml index 45d26766..7c1c33bc 100644 --- a/helm/soperator-crds/templates/slurmcluster-crd.yaml +++ b/helm/soperator-crds/templates/slurmcluster-crd.yaml @@ -1122,6 +1122,11 @@ spec: in seconds format: int64 type: integer + appArmorProfile: + default: unconfined + description: AppArmorProfile defines the AppArmor profile + for the Slurm node + type: string enabled: default: true description: Enabled defines whether the CronJob should be @@ -1218,6 +1223,11 @@ spec: description: PopulateJail defines the k8s Job that performs initial jail file system population properties: + appArmorProfile: + default: unconfined + description: AppArmorProfile defines the AppArmor profile for + the Slurm node + type: string image: description: Image defines the populate jail container image type: string @@ -1523,7 +1533,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string enabled: type: boolean @@ -8288,7 +8298,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -8375,7 +8385,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -8531,7 +8541,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -8578,7 +8588,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9071,7 +9081,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9122,7 +9132,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9611,7 +9621,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9663,7 +9673,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9992,7 +10002,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -10056,7 +10066,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -10102,7 +10112,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image diff --git a/helm/soperator/Chart.yaml b/helm/soperator/Chart.yaml index 6244e324..8f5f9948 100644 --- a/helm/soperator/Chart.yaml +++ b/helm/soperator/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: helm-soperator description: A Helm chart for Kubernetes type: application -version: 1.15.1 -appVersion: "1.15.1" +version: 1.15.2 +appVersion: "1.15.2" diff --git a/helm/soperator/crds/slurmcluster-crd.yaml b/helm/soperator/crds/slurmcluster-crd.yaml index 45d26766..7c1c33bc 100644 --- a/helm/soperator/crds/slurmcluster-crd.yaml +++ b/helm/soperator/crds/slurmcluster-crd.yaml @@ -1122,6 +1122,11 @@ spec: in seconds format: int64 type: integer + appArmorProfile: + default: unconfined + description: AppArmorProfile defines the AppArmor profile + for the Slurm node + type: string enabled: default: true description: Enabled defines whether the CronJob should be @@ -1218,6 +1223,11 @@ spec: description: PopulateJail defines the k8s Job that performs initial jail file system population properties: + appArmorProfile: + default: unconfined + description: AppArmorProfile defines the AppArmor profile for + the Slurm node + type: string image: description: Image defines the populate jail container image type: string @@ -1523,7 +1533,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string enabled: type: boolean @@ -8288,7 +8298,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -8375,7 +8385,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -8531,7 +8541,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -8578,7 +8588,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9071,7 +9081,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9122,7 +9132,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9611,7 +9621,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9663,7 +9673,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -9992,7 +10002,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -10056,7 +10066,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image @@ -10102,7 +10112,7 @@ spec: appArmorProfile: default: unconfined description: AppArmorProfile defines the AppArmor profile - for the Slurm worker node + for the Slurm containers type: string image: description: Image defines the container image diff --git a/helm/soperator/values.yaml b/helm/soperator/values.yaml index d85809e8..f5ecb6a9 100644 --- a/helm/soperator/values.yaml +++ b/helm/soperator/values.yaml @@ -36,7 +36,7 @@ controllerManager: slurmOperatorWatchNamespaces: '*' image: repository: cr.eu-north1.nebius.cloud/soperator/slurm-operator - tag: 1.15.1 + tag: 1.15.2 imagePullPolicy: Always resources: limits: diff --git a/internal/consts/version.go b/internal/consts/version.go index 3468f059..5fbf4980 100644 --- a/internal/consts/version.go +++ b/internal/consts/version.go @@ -2,5 +2,5 @@ package consts const ( - VersionCR = "1.15.1" + VersionCR = "1.15.2" ) diff --git a/internal/values/slurm_jail.go b/internal/values/slurm_jail.go index 544cff69..235f9493 100644 --- a/internal/values/slurm_jail.go +++ b/internal/values/slurm_jail.go @@ -25,8 +25,12 @@ func buildSlurmPopulateJailFrom(clusterName string, populateJail *slurmv1.Popula PopulateJail: *populateJail.DeepCopy(), Name: naming.BuildPopulateJailJobName(clusterName), ContainerPopulateJail: Container{ - Name: consts.ContainerNamePopulateJail, - NodeContainer: slurmv1.NodeContainer{Image: populateJail.Image, ImagePullPolicy: populateJail.ImagePullPolicy}, + Name: consts.ContainerNamePopulateJail, + NodeContainer: slurmv1.NodeContainer{ + Image: populateJail.Image, + ImagePullPolicy: populateJail.ImagePullPolicy, + AppArmorProfile: populateJail.AppArmorProfile, + }, }, VolumeJail: slurmv1.NodeVolume{ VolumeSourceName: ptr.To(consts.VolumeNameJail), diff --git a/internal/values/slurm_periodic_checks.go b/internal/values/slurm_periodic_checks.go index cc4279ab..14c85864 100644 --- a/internal/values/slurm_periodic_checks.go +++ b/internal/values/slurm_periodic_checks.go @@ -23,8 +23,12 @@ func buildSlurmNCCLBenchmarkFrom(clusterName string, ncclBenchmark *slurmv1.NCCL NCCLBenchmark: *ncclBenchmark.DeepCopy(), Name: naming.BuildCronJobNCCLBenchmarkName(clusterName), ContainerNCCLBenchmark: Container{ - Name: consts.ContainerNameNCCLBenchmark, - NodeContainer: slurmv1.NodeContainer{Image: ncclBenchmark.Image, ImagePullPolicy: ncclBenchmark.ImagePullPolicy}, + Name: consts.ContainerNameNCCLBenchmark, + NodeContainer: slurmv1.NodeContainer{ + Image: ncclBenchmark.Image, + ImagePullPolicy: ncclBenchmark.ImagePullPolicy, + AppArmorProfile: ncclBenchmark.AppArmorProfile, + }, }, VolumeJail: slurmv1.NodeVolume{ VolumeSourceName: ptr.To(consts.VolumeNameJail),