From dfabd3a9d208243685f4bc50cf5994e27f137a6f Mon Sep 17 00:00:00 2001
From: james <open4pd@4paradigm.com>
Date: Fri, 19 Dec 2025 12:03:27 +0800
Subject: [PATCH] feat: Remove unnecessary permissions

Signed-off-by: james <open4pd@4paradigm.com>
---
 k8s-mock-plugin.yaml |  6 ------
 k8s-mock-rbac.yaml   | 21 +++------------------
 2 files changed, 3 insertions(+), 24 deletions(-)

diff --git a/k8s-mock-plugin.yaml b/k8s-mock-plugin.yaml
index 1d2c4eb..e9d5cbf 100644
--- a/k8s-mock-plugin.yaml
+++ b/k8s-mock-plugin.yaml
@@ -30,12 +30,6 @@ spec:
           - ./k8s-device-plugin
           - -v=5
           - --device-config-file=/device-config.yaml
-        securityContext:
-          privileged: true
-          allowPrivilegeEscalation: true
-          capabilities:
-            drop: ["ALL"]
-            add: ["SYS_ADMIN"]
         volumeMounts:
           - name: dp
             mountPath: /var/lib/kubelet/device-plugins
diff --git a/k8s-mock-rbac.yaml b/k8s-mock-rbac.yaml
index 7c1475f..375cc35 100644
--- a/k8s-mock-rbac.yaml
+++ b/k8s-mock-rbac.yaml
@@ -5,23 +5,8 @@ metadata:
 rules:
   - apiGroups:
       - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-      - update
-      - list
-      - patch
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-    verbs:
-      - update
-      - patch
-      - get
-      - list
-      - watch
+    resources: ["nodes"]
+    verbs: ["get", "update", "list", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -40,4 +25,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: hami-mock-device-plugin
-  namespace: kube-system
\ No newline at end of file
+  namespace: kube-system