ROCm · sajmera-pensando · Jun 11, 2026 · Jun 5, 2026
diff --git a/Makefile b/Makefile
@@ -444,7 +444,7 @@ bundle-build: operator-sdk manifests kustomize
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
 	cd config/manager-base && $(KUSTOMIZE) edit set image controller=$(IMG)
 	OPERATOR_SDK="${OPERATOR_SDK}" \
-		     BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS} --extra-service-accounts amd-network-operator-kmm-device-plugin,amd-network-operator-kmm-module-loader,amd-network-operator-node-labeller,amd-network-operator-metrics-exporter,amd-network-operator-metrics-exporter-rbac-proxy,amd-network-operator-test-runner,amd-network-operator-config-manager,amd-network-operator-utils-container,amd-network-operator-cni-plugins,amd-network-operator-device-plugin" \
+		     BUNDLE_GEN_FLAGS="${BUNDLE_GEN_FLAGS} --extra-service-accounts amd-network-operator-device-plugin,amd-network-operator-kmm-module-loader,amd-network-operator-node-labeller,amd-network-operator-metrics-exporter,amd-network-operator-metrics-exporter-rbac-proxy,amd-network-operator-test-runner,amd-network-operator-config-manager,amd-network-operator-utils-container,amd-network-operator-cni-plugins" \
 		     PKG=amd-network-operator \
 		     SOURCE_DIR=$(dir $(realpath $(lastword $(MAKEFILE_LIST)))) \
 		     KUBECTL_CMD=${KUBECTL_CMD} ./hack/generate-bundle

diff --git a/config/rbac/cni_plugins_role_binding.yaml b/config/rbac/cni_plugins_role_binding.yaml
@@ -1,8 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   name: cni-plugins
-  namespace: system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/.../rbac/kmm_device_plugin_cluster_role.yaml → config/rbac/device_plugin_cluster_role.yaml b/.../rbac/kmm_device_plugin_cluster_role.yaml → config/rbac/device_plugin_cluster_role.yaml
diff --git a/.../rbac/kmm_device_plugin_role_binding.yaml → config/rbac/device_plugin_role_binding.yaml b/.../rbac/kmm_device_plugin_role_binding.yaml → config/rbac/device_plugin_role_binding.yaml
@@ -1,8 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   name: device-plugin
-  namespace: system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/...ac/kmm_device_plugin_service_account.yaml → ...g/rbac/device_plugin_service_account.yaml b/...ac/kmm_device_plugin_service_account.yaml → ...g/rbac/device_plugin_service_account.yaml
diff --git a/config/rbac/kmm_module_loader_role_binding.yaml b/config/rbac/kmm_module_loader_role_binding.yaml
@@ -1,8 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   name: kmm-module-loader
-  namespace: system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -7,9 +7,9 @@ resources:
   - kmm_module_loader_role_binding.yaml
   - kmm_module_loader_service_account.yaml
   - kmm_module_loader_cluster_role.yaml
-  - kmm_device_plugin_role_binding.yaml
-  - kmm_device_plugin_service_account.yaml
-  - kmm_device_plugin_cluster_role.yaml
+  - device_plugin_role_binding.yaml
+  - device_plugin_service_account.yaml
+  - device_plugin_cluster_role.yaml
   - node_labeller_service_account.yaml
   - node_labeller_cluster_role.yaml
   - node_labeller_role_binding.yaml

diff --git a/hack/openshift-patch/metadata-patch/values.yaml b/hack/openshift-patch/metadata-patch/values.yaml
@@ -72,3 +72,6 @@ nodeLabeller:
 metricsExporter:
   serviceAccount:
     annotations: {}
+cniPlugins:
+  serviceAccount:
+    annotations: {}
diff --git a/...emplate-patch/kmm-device-plugin-rbac.yaml → ...atch/template-patch/cni-plugins-rbac.yaml b/...emplate-patch/kmm-device-plugin-rbac.yaml → ...atch/template-patch/cni-plugins-rbac.yaml
@@ -1,10 +1,10 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "helm-charts-openshift.fullname" . }}-kmm-device-plugin
+  name: {{ include "helm-charts-openshift.fullname" . }}-cni-plugins
   labels:
-    app.kubernetes.io/component: amd-gpu
-    app.kubernetes.io/part-of: amd-gpu
+    app.kubernetes.io/component: amd-nic
+    app.kubernetes.io/part-of: amd-nic
   {{- include "helm-charts-openshift.labels" . | nindent 4 }}
 rules:
 - apiGroups:
@@ -17,18 +17,18 @@ rules:
   - use
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
-  name: {{ include "helm-charts-openshift.fullname" . }}-kmm-device-plugin
+  name: {{ include "helm-charts-openshift.fullname" . }}-cni-plugins
   labels:
-    app.kubernetes.io/component: amd-gpu
-    app.kubernetes.io/part-of: amd-gpu
+    app.kubernetes.io/component: amd-nic
+    app.kubernetes.io/part-of: amd-nic
   {{- include "helm-charts-openshift.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: '{{ include "helm-charts-openshift.fullname" . }}-kmm-device-plugin'
+  name: '{{ include "helm-charts-openshift.fullname" . }}-cni-plugins'
 subjects:
 - kind: ServiceAccount
-  name: amd-gpu-operator-kmm-device-plugin
+  name: amd-network-operator-cni-plugins
   namespace: '{{ .Release.Namespace }}'
diff --git a/hack/openshift-patch/template-patch/device-plugin-rbac.yaml b/hack/openshift-patch/template-patch/device-plugin-rbac.yaml
@@ -0,0 +1,34 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "helm-charts-openshift.fullname" . }}-device-plugin
+  labels:
+    app.kubernetes.io/component: amd-nic
+    app.kubernetes.io/part-of: amd-nic
+  {{- include "helm-charts-openshift.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "helm-charts-openshift.fullname" . }}-device-plugin
+  labels:
+    app.kubernetes.io/component: amd-nic
+    app.kubernetes.io/part-of: amd-nic
+  {{- include "helm-charts-openshift.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "helm-charts-openshift.fullname" . }}-device-plugin'
+subjects:
+- kind: ServiceAccount
+  name: amd-network-operator-device-plugin
+  namespace: '{{ .Release.Namespace }}'
diff --git a/hack/openshift-patch/template-patch/kmm-module-loader-rbac.yaml b/hack/openshift-patch/template-patch/kmm-module-loader-rbac.yaml
@@ -17,7 +17,7 @@ rules:
   - use
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   name: {{ include "helm-charts-openshift.fullname" . }}-kmm-module-loader
   labels:

diff --git a/hack/openshift-patch/template-patch/serviceaccount.yaml b/hack/openshift-patch/template-patch/serviceaccount.yaml
@@ -51,6 +51,16 @@ metadata:
     app.kubernetes.io/component: amd-nic
     app.kubernetes.io/part-of: amd-nic
   {{- include "helm-charts-openshift.labels" . | nindent 4 }}
-  annotations:
   annotations:
     {{- toYaml .Values.metricsExporter.serviceAccount.annotations | nindent 4 }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: amd-network-operator-cni-plugins
+  labels:
+    app.kubernetes.io/component: amd-nic
+    app.kubernetes.io/part-of: amd-nic
+  {{- include "helm-charts-openshift.labels" . | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.cniPlugins.serviceAccount.annotations | nindent 4 }}
diff --git a/internal/kmmmodule/testdata/device_plugin_test.yaml b/internal/kmmmodule/testdata/device_plugin_test.yaml
@@ -5,7 +5,7 @@ metadata:
   namespace: moduleNamespace
 spec:
   devicePlugin:
-    serviceAccountName: "amd-gpu-operator-kmm-device-plugin"
+    serviceAccountName: "amd-network-operator-device-plugin"
     container:
       image: rocm/k8s-device-plugin:latest
       volumeMounts: