From c725eef277981b244c12f4993c68be5b3011fbf2 Mon Sep 17 00:00:00 2001
From: Rajat Chopra <rajatc@nvidia.com>
Date: Tue, 3 Feb 2026 18:58:10 -0800
Subject: [PATCH] feat: sandbox device plugin will launch pods for GFD, so we
 need new privileges and info

Signed-off-by: Rajat Chopra <rajatc@nvidia.com>
---
 .../0200_role.yaml                            | 19 +++++++++++++++++++
 .../0500_daemonset.yaml                       | 11 +++++++++++
 2 files changed, 30 insertions(+)

diff --git a/assets/state-sandbox-device-plugin/0200_role.yaml b/assets/state-sandbox-device-plugin/0200_role.yaml
index 2f5085e51..5864adb9c 100644
--- a/assets/state-sandbox-device-plugin/0200_role.yaml
+++ b/assets/state-sandbox-device-plugin/0200_role.yaml
@@ -12,3 +12,22 @@ rules:
   - use
   resourceNames:
   - privileged
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - delete
+- apiGroups:
+  - nfd.k8s-sigs.io
+  resources:
+  - nodefeatures
+  verbs:
+  - create
+  - get
+  - list
+  - watch
diff --git a/assets/state-sandbox-device-plugin/0500_daemonset.yaml b/assets/state-sandbox-device-plugin/0500_daemonset.yaml
index 2f0e9e297..5a5d7d246 100644
--- a/assets/state-sandbox-device-plugin/0500_daemonset.yaml
+++ b/assets/state-sandbox-device-plugin/0500_daemonset.yaml
@@ -61,6 +61,17 @@ spec:
         - image: "FILLED BY THE OPERATOR"
           imagePullPolicy: IfNotPresent
           name: nvidia-sandbox-device-plugin-ctr
+          env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.nodeName
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
           securityContext:
             privileged: true
           volumeMounts: