From 4beeb449ba7a9aa2dbc6c9266b8c468cd1ba721b Mon Sep 17 00:00:00 2001 From: Jirka Kremser Date: Thu, 5 Oct 2023 15:20:42 +0200 Subject: [PATCH] Use kustomize for csi driver Signed-off-by: Jirka Kremser --- .gitignore | 2 +- Makefile.custom.mk | 18 +- .../overwrites/templates/pss-exceptions.yaml | 2 +- .../overwrites/templates/pss-exceptions.yaml | 2 +- .../overwrites/templates/pss-exceptions.yaml | 2 +- .../overwrites/templates/pss-exceptions.yaml | 30 +- .../vsphere-csi-driver/overwrites/values.yaml | 6 + hack/custom-patches.sh | 20 + .../templates/pss-exceptions.yaml | 2 +- .../templates/pss-exceptions.yaml | 2 +- .../kube-vip/templates/pss-exceptions.yaml | 2 +- ..._v1_deployment_vsphere-csi-controller.yaml | 368 ++++++++++-------- .../templates/pss-exceptions.yaml | 30 +- .../charts/vsphere-csi-driver/values.yaml | 6 + .../templates/crd-install/crd-configmap.yaml | 2 +- .../templates/crd-install/crd-job.yaml | 3 +- .../templates/crd-install/crd-netpol.yaml | 2 +- .../templates/crd-install/crd-rbac.yaml | 2 +- .../crd-install/crd-serviceaccount.yaml | 2 +- 19 files changed, 290 insertions(+), 213 deletions(-) create mode 100755 hack/custom-patches.sh diff --git a/.gitignore b/.gitignore index 839d19c..56f1dae 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ # binary -/bin/kustomize +/bin/* diff --git a/Makefile.custom.mk b/Makefile.custom.mk index 93ce4cd..796fca4 100644 --- a/Makefile.custom.mk +++ b/Makefile.custom.mk @@ -4,9 +4,11 @@ OS ?= $(shell go env GOOS 2>/dev/null || echo linux) ARCH ?= $(shell go env GOARCH 2>/dev/null || echo amd64) KUSTOMIZE := ./bin/kustomize KUSTOMIZE_VERSION ?= v4.5.7 +YQ = ./bin/yq +YQ_VERSION := 4.31.2 .PHONY: all -all: update-cpi-chart update-csi-chart update-kubevip-chart update-kubevip-cloud-provider-chart +all: update-cpi-chart update-csi-chart apply-custom-patches-for-csi update-kubevip-chart update-kubevip-cloud-provider-chart @$(call say,Sync has been done ✓) .PHONY: update-cpi-chart @@ -15,11 +17,16 @@ update-cpi-chart: ./hack/update-cpi-chart.sh ./hack/common-labels-injector.sh cloud-provider-for-vsphere +.PHONY: apply-custom-patches-for-csi +apply-custom-patches-for-csi: $(YQ) ## apply giantswarm specific patches that are not possible via kustomize + @$(call say,Custom yq magic for CSI) + ./hack/custom-patches.sh + ./hack/common-labels-injector.sh vsphere-csi-driver + .PHONY: update-csi-chart update-csi-chart: $(KUSTOMIZE) @$(call say,CSI helm chart) ./hack/update-csi-chart.sh $(KUSTOMIZE) - ./hack/common-labels-injector.sh vsphere-csi-driver .PHONY: update-kubevip-chart update-kubevip-chart: @@ -40,6 +47,13 @@ $(KUSTOMIZE): ## Download kustomize locally if necessary. chmod +x $@ @echo "kustomize downloaded" +$(YQ): ## Download yq locally if necessary. + @$(call say,Download yq) + curl -sfL https://github.com/mikefarah/yq/releases/download/v$(YQ_VERSION)/yq_$(OS)_$(ARCH) > $@ + chmod +x $@ + @echo "yq downloaded" + + ifndef NO_COLOR YELLOW=\033[0;33m # no color diff --git a/config/cloud-provider-for-vsphere/overwrites/templates/pss-exceptions.yaml b/config/cloud-provider-for-vsphere/overwrites/templates/pss-exceptions.yaml index 197a3fe..f4318ce 100644 --- a/config/cloud-provider-for-vsphere/overwrites/templates/pss-exceptions.yaml +++ b/config/cloud-provider-for-vsphere/overwrites/templates/pss-exceptions.yaml @@ -31,4 +31,4 @@ spec: - {{ .Release.Namespace }} names: - cloud-provider-for-vsphere* -{{- end }} \ No newline at end of file +{{- end }} diff --git a/config/kube-vip-cloud-provider/overwrites/templates/pss-exceptions.yaml b/config/kube-vip-cloud-provider/overwrites/templates/pss-exceptions.yaml index 7e105f1..1a6ec10 100644 --- a/config/kube-vip-cloud-provider/overwrites/templates/pss-exceptions.yaml +++ b/config/kube-vip-cloud-provider/overwrites/templates/pss-exceptions.yaml @@ -31,4 +31,4 @@ spec: - {{ .Release.Namespace }} names: - kube-vip-cloud-provider* -{{- end }} \ No newline at end of file +{{- end }} diff --git a/config/kube-vip/overwrites/templates/pss-exceptions.yaml b/config/kube-vip/overwrites/templates/pss-exceptions.yaml index e766875..d7c552c 100644 --- a/config/kube-vip/overwrites/templates/pss-exceptions.yaml +++ b/config/kube-vip/overwrites/templates/pss-exceptions.yaml @@ -62,4 +62,4 @@ spec: - {{ .Release.Namespace }} names: - kube-vip -{{- end }} \ No newline at end of file +{{- end }} diff --git a/config/vsphere-csi-driver/overwrites/templates/pss-exceptions.yaml b/config/vsphere-csi-driver/overwrites/templates/pss-exceptions.yaml index 1e7f41b..554c12b 100644 --- a/config/vsphere-csi-driver/overwrites/templates/pss-exceptions.yaml +++ b/config/vsphere-csi-driver/overwrites/templates/pss-exceptions.yaml @@ -28,24 +28,24 @@ spec: ruleNames: - restricted-volumes - autogen-restricted-volumes - - policyName: require-run-as-nonroot - ruleNames: - - run-as-non-root - - autogen-run-as-non-root + # - policyName: require-run-as-nonroot + # ruleNames: + # - run-as-non-root + # - autogen-run-as-non-root - policyName: restrict-seccomp-strict ruleNames: - check-seccomp-strict - autogen-check-seccomp-strict - - policyName: disallow-capabilities - ruleNames: - - adding-capabilities - - autogen-adding-capabilities - - policyName: disallow-capabilities-strict - ruleNames: - - adding-capabilities-strict - - autogen-adding-capabilities-strict - - require-drop-all - - autogen-require-drop-all + # - policyName: disallow-capabilities + # ruleNames: + # - adding-capabilities + # - autogen-adding-capabilities + # - policyName: disallow-capabilities-strict + # ruleNames: + # - adding-capabilities-strict + # - autogen-adding-capabilities-strict + # - require-drop-all + # - autogen-require-drop-all - policyName: disallow-privilege-escalation ruleNames: - privilege-escalation @@ -62,4 +62,4 @@ spec: - {{ .Release.Namespace }} names: - vsphere-csi* -{{- end }} \ No newline at end of file +{{- end }} diff --git a/config/vsphere-csi-driver/overwrites/values.yaml b/config/vsphere-csi-driver/overwrites/values.yaml index c02ea43..e8b1a37 100644 --- a/config/vsphere-csi-driver/overwrites/values.yaml +++ b/config/vsphere-csi-driver/overwrites/values.yaml @@ -53,3 +53,9 @@ storageClass: isDefault: false vcdStorageProfileName: "vSAN Default Storage Policy" fileSystem: "ext4" + +containerSecurityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/hack/custom-patches.sh b/hack/custom-patches.sh new file mode 100755 index 0000000..22c8a22 --- /dev/null +++ b/hack/custom-patches.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +set -o errexit +set -o nounset +set -o pipefail + +YQ="./bin/yq" + +f="helm/cloud-provider-vsphere/charts/vsphere-csi-driver/templates/apps_v1_deployment_vsphere-csi-controller.yaml" +${YQ} e '.spec.template.spec.securityContext.remove-this-key="'" +{{- with .Values.podSecurityContext }} + {{- . | toYaml | nindent 8 }} +{{- end }} +"'" | .spec.template.spec.containers[].securityContext.remove-this-key="'" +{{- with .Values.containerSecurityContext }} + {{- . | toYaml | nindent 12 }} +{{- end }} +"'"' ${f} > ${f}.tmp +cat ${f}.tmp | grep -v 'remove-this-key' > ${f} +rm -rf ${f}.tmp diff --git a/helm/cloud-provider-vsphere/charts/cloud-provider-for-vsphere/templates/pss-exceptions.yaml b/helm/cloud-provider-vsphere/charts/cloud-provider-for-vsphere/templates/pss-exceptions.yaml index 197a3fe..f4318ce 100644 --- a/helm/cloud-provider-vsphere/charts/cloud-provider-for-vsphere/templates/pss-exceptions.yaml +++ b/helm/cloud-provider-vsphere/charts/cloud-provider-for-vsphere/templates/pss-exceptions.yaml @@ -31,4 +31,4 @@ spec: - {{ .Release.Namespace }} names: - cloud-provider-for-vsphere* -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/cloud-provider-vsphere/charts/kube-vip-cloud-provider/templates/pss-exceptions.yaml b/helm/cloud-provider-vsphere/charts/kube-vip-cloud-provider/templates/pss-exceptions.yaml index 7e105f1..1a6ec10 100644 --- a/helm/cloud-provider-vsphere/charts/kube-vip-cloud-provider/templates/pss-exceptions.yaml +++ b/helm/cloud-provider-vsphere/charts/kube-vip-cloud-provider/templates/pss-exceptions.yaml @@ -31,4 +31,4 @@ spec: - {{ .Release.Namespace }} names: - kube-vip-cloud-provider* -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/cloud-provider-vsphere/charts/kube-vip/templates/pss-exceptions.yaml b/helm/cloud-provider-vsphere/charts/kube-vip/templates/pss-exceptions.yaml index e766875..d7c552c 100644 --- a/helm/cloud-provider-vsphere/charts/kube-vip/templates/pss-exceptions.yaml +++ b/helm/cloud-provider-vsphere/charts/kube-vip/templates/pss-exceptions.yaml @@ -62,4 +62,4 @@ spec: - {{ .Release.Namespace }} names: - kube-vip -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/cloud-provider-vsphere/charts/vsphere-csi-driver/templates/apps_v1_deployment_vsphere-csi-controller.yaml b/helm/cloud-provider-vsphere/charts/vsphere-csi-driver/templates/apps_v1_deployment_vsphere-csi-controller.yaml index f3f1668..ec7966e 100644 --- a/helm/cloud-provider-vsphere/charts/vsphere-csi-driver/templates/apps_v1_deployment_vsphere-csi-controller.yaml +++ b/helm/cloud-provider-vsphere/charts/vsphere-csi-driver/templates/apps_v1_deployment_vsphere-csi-controller.yaml @@ -24,178 +24,210 @@ spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - vsphere-csi-controller - topologyKey: kubernetes.io/hostname + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - vsphere-csi-controller + topologyKey: kubernetes.io/hostname containers: - - args: - - --v=4 - - --timeout=300s - - --csi-address=$(ADDRESS) - - --leader-election - - --kube-api-qps=100 - - --kube-api-burst=100 - env: - - name: ADDRESS - value: /csi/csi.sock - image: '{{ .Values.controllerDeployment.csiAttacher.image}}:{{ .Values.controllerDeployment.csiAttacher.tag}}' - name: csi-attacher - volumeMounts: - - mountPath: /csi - name: socket-dir - - args: - - --v=4 - - --timeout=300s - - --handle-volume-inuse-error=false - - --csi-address=$(ADDRESS) - - --kube-api-qps=100 - - --kube-api-burst=100 - - --leader-election - env: - - name: ADDRESS - value: /csi/csi.sock - image: '{{ .Values.controllerDeployment.csiResizer.image}}:{{ .Values.controllerDeployment.csiResizer.tag}}' - name: csi-resizer - volumeMounts: - - mountPath: /csi - name: socket-dir - - args: - - --fss-name=internal-feature-states.csi.vsphere.vmware.com - - --fss-namespace=$(CSI_NAMESPACE) - env: - - name: CSI_ENDPOINT - value: unix:///csi/csi.sock - - name: X_CSI_MODE - value: controller - - name: X_CSI_SPEC_DISABLE_LEN_CHECK - value: "true" - - name: X_CSI_SERIAL_VOL_ACCESS_TIMEOUT - value: 3m - - name: VSPHERE_CSI_CONFIG - value: /etc/cloud/csi-vsphere.conf - - name: LOGGER_LEVEL - value: PRODUCTION - - name: INCLUSTER_CLIENT_QPS - value: "100" - - name: INCLUSTER_CLIENT_BURST - value: "100" - - name: CSI_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: '{{ .Values.controllerDeployment.csiController.image}}:{{ .Values.controllerDeployment.csiController.tag}}' - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - periodSeconds: 5 - timeoutSeconds: 3 - name: vsphere-csi-controller - ports: - - containerPort: 9808 - name: healthz - protocol: TCP - - containerPort: 2112 - name: prometheus - protocol: TCP - volumeMounts: - - mountPath: /etc/cloud - name: vsphere-config-volume - readOnly: true - - mountPath: /csi - name: socket-dir - - args: - - --v=4 - - --csi-address=/csi/csi.sock - image: '{{ .Values.controllerDeployment.livenessProbe.image}}:{{ .Values.controllerDeployment.livenessProbe.tag}}' - name: liveness-probe - volumeMounts: - - mountPath: /csi - name: socket-dir - - args: - - --leader-election - - --fss-name=internal-feature-states.csi.vsphere.vmware.com - - --fss-namespace=$(CSI_NAMESPACE) - env: - - name: FULL_SYNC_INTERVAL_MINUTES - value: "30" - - name: VSPHERE_CSI_CONFIG - value: /etc/cloud/csi-vsphere.conf - - name: LOGGER_LEVEL - value: PRODUCTION - - name: INCLUSTER_CLIENT_QPS - value: "100" - - name: INCLUSTER_CLIENT_BURST - value: "100" - - name: GODEBUG - value: x509sha1=1 - - name: CSI_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: '{{ .Values.controllerDeployment.syncer.image}}:{{ .Values.controllerDeployment.syncer.tag}}' - imagePullPolicy: Always - name: vsphere-syncer - ports: - - containerPort: 2113 - name: prometheus - protocol: TCP - volumeMounts: - - mountPath: /etc/cloud - name: vsphere-config-volume - readOnly: true - - args: - - --v=4 - - --timeout=300s - - --csi-address=$(ADDRESS) - - --kube-api-qps=100 - - --kube-api-burst=100 - - --leader-election - - --default-fstype=ext4 - env: - - name: ADDRESS - value: /csi/csi.sock - image: '{{ .Values.controllerDeployment.csiProvisioner.image}}:{{ .Values.controllerDeployment.csiProvisioner.tag}}' - name: csi-provisioner - volumeMounts: - - mountPath: /csi - name: socket-dir - - args: - - --v=4 - - --kube-api-qps=100 - - --kube-api-burst=100 - - --timeout=300s - - --csi-address=$(ADDRESS) - - --leader-election - env: - - name: ADDRESS - value: /csi/csi.sock - image: '{{ .Values.controllerDeployment.csiSnapshotter.image}}:{{ .Values.controllerDeployment.csiSnapshotter.tag}}' - name: csi-snapshotter - volumeMounts: - - mountPath: /csi - name: socket-dir + - args: + - --v=4 + - --timeout=300s + - --csi-address=$(ADDRESS) + - --leader-election + - --kube-api-qps=100 + - --kube-api-burst=100 + env: + - name: ADDRESS + value: /csi/csi.sock + image: '{{ .Values.controllerDeployment.csiAttacher.image}}:{{ .Values.controllerDeployment.csiAttacher.tag}}' + name: csi-attacher + volumeMounts: + - mountPath: /csi + name: socket-dir + securityContext: + {{- with .Values.containerSecurityContext }} + {{- . | toYaml | nindent 12 }} + {{- end }} + - args: + - --v=4 + - --timeout=300s + - --handle-volume-inuse-error=false + - --csi-address=$(ADDRESS) + - --kube-api-qps=100 + - --kube-api-burst=100 + - --leader-election + env: + - name: ADDRESS + value: /csi/csi.sock + image: '{{ .Values.controllerDeployment.csiResizer.image}}:{{ .Values.controllerDeployment.csiResizer.tag}}' + name: csi-resizer + volumeMounts: + - mountPath: /csi + name: socket-dir + securityContext: + {{- with .Values.containerSecurityContext }} + {{- . | toYaml | nindent 12 }} + {{- end }} + - args: + - --fss-name=internal-feature-states.csi.vsphere.vmware.com + - --fss-namespace=$(CSI_NAMESPACE) + env: + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: X_CSI_MODE + value: controller + - name: X_CSI_SPEC_DISABLE_LEN_CHECK + value: "true" + - name: X_CSI_SERIAL_VOL_ACCESS_TIMEOUT + value: 3m + - name: VSPHERE_CSI_CONFIG + value: /etc/cloud/csi-vsphere.conf + - name: LOGGER_LEVEL + value: PRODUCTION + - name: INCLUSTER_CLIENT_QPS + value: "100" + - name: INCLUSTER_CLIENT_BURST + value: "100" + - name: CSI_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: '{{ .Values.controllerDeployment.csiController.image}}:{{ .Values.controllerDeployment.csiController.tag}}' + imagePullPolicy: Always + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 3 + name: vsphere-csi-controller + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + - containerPort: 2112 + name: prometheus + protocol: TCP + volumeMounts: + - mountPath: /etc/cloud + name: vsphere-config-volume + readOnly: true + - mountPath: /csi + name: socket-dir + securityContext: + {{- with .Values.containerSecurityContext }} + {{- . | toYaml | nindent 12 }} + {{- end }} + - args: + - --v=4 + - --csi-address=/csi/csi.sock + image: '{{ .Values.controllerDeployment.livenessProbe.image}}:{{ .Values.controllerDeployment.livenessProbe.tag}}' + name: liveness-probe + volumeMounts: + - mountPath: /csi + name: socket-dir + securityContext: + {{- with .Values.containerSecurityContext }} + {{- . | toYaml | nindent 12 }} + {{- end }} + - args: + - --leader-election + - --fss-name=internal-feature-states.csi.vsphere.vmware.com + - --fss-namespace=$(CSI_NAMESPACE) + env: + - name: FULL_SYNC_INTERVAL_MINUTES + value: "30" + - name: VSPHERE_CSI_CONFIG + value: /etc/cloud/csi-vsphere.conf + - name: LOGGER_LEVEL + value: PRODUCTION + - name: INCLUSTER_CLIENT_QPS + value: "100" + - name: INCLUSTER_CLIENT_BURST + value: "100" + - name: GODEBUG + value: x509sha1=1 + - name: CSI_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: '{{ .Values.controllerDeployment.syncer.image}}:{{ .Values.controllerDeployment.syncer.tag}}' + imagePullPolicy: Always + name: vsphere-syncer + ports: + - containerPort: 2113 + name: prometheus + protocol: TCP + volumeMounts: + - mountPath: /etc/cloud + name: vsphere-config-volume + readOnly: true + securityContext: + {{- with .Values.containerSecurityContext }} + {{- . | toYaml | nindent 12 }} + {{- end }} + - args: + - --v=4 + - --timeout=300s + - --csi-address=$(ADDRESS) + - --kube-api-qps=100 + - --kube-api-burst=100 + - --leader-election + - --default-fstype=ext4 + env: + - name: ADDRESS + value: /csi/csi.sock + image: '{{ .Values.controllerDeployment.csiProvisioner.image}}:{{ .Values.controllerDeployment.csiProvisioner.tag}}' + name: csi-provisioner + volumeMounts: + - mountPath: /csi + name: socket-dir + securityContext: + {{- with .Values.containerSecurityContext }} + {{- . | toYaml | nindent 12 }} + {{- end }} + - args: + - --v=4 + - --kube-api-qps=100 + - --kube-api-burst=100 + - --timeout=300s + - --csi-address=$(ADDRESS) + - --leader-election + env: + - name: ADDRESS + value: /csi/csi.sock + image: '{{ .Values.controllerDeployment.csiSnapshotter.image}}:{{ .Values.controllerDeployment.csiSnapshotter.tag}}' + name: csi-snapshotter + volumeMounts: + - mountPath: /csi + name: socket-dir + securityContext: + {{- with .Values.containerSecurityContext }} + {{- . | toYaml | nindent 12 }} + {{- end }} dnsPolicy: Default nodeSelector: node-role.kubernetes.io/control-plane: "" serviceAccountName: vsphere-csi-controller tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists volumes: - - name: vsphere-config-volume - secret: - secretName: vsphere-config-secret - - emptyDir: {} - name: socket-dir + - name: vsphere-config-volume + secret: + secretName: vsphere-config-secret + - emptyDir: {} + name: socket-dir + securityContext: + {{- with .Values.podSecurityContext }} + {{- . | toYaml | nindent 8 }} + {{- end }} diff --git a/helm/cloud-provider-vsphere/charts/vsphere-csi-driver/templates/pss-exceptions.yaml b/helm/cloud-provider-vsphere/charts/vsphere-csi-driver/templates/pss-exceptions.yaml index 1e7f41b..554c12b 100644 --- a/helm/cloud-provider-vsphere/charts/vsphere-csi-driver/templates/pss-exceptions.yaml +++ b/helm/cloud-provider-vsphere/charts/vsphere-csi-driver/templates/pss-exceptions.yaml @@ -28,24 +28,24 @@ spec: ruleNames: - restricted-volumes - autogen-restricted-volumes - - policyName: require-run-as-nonroot - ruleNames: - - run-as-non-root - - autogen-run-as-non-root + # - policyName: require-run-as-nonroot + # ruleNames: + # - run-as-non-root + # - autogen-run-as-non-root - policyName: restrict-seccomp-strict ruleNames: - check-seccomp-strict - autogen-check-seccomp-strict - - policyName: disallow-capabilities - ruleNames: - - adding-capabilities - - autogen-adding-capabilities - - policyName: disallow-capabilities-strict - ruleNames: - - adding-capabilities-strict - - autogen-adding-capabilities-strict - - require-drop-all - - autogen-require-drop-all + # - policyName: disallow-capabilities + # ruleNames: + # - adding-capabilities + # - autogen-adding-capabilities + # - policyName: disallow-capabilities-strict + # ruleNames: + # - adding-capabilities-strict + # - autogen-adding-capabilities-strict + # - require-drop-all + # - autogen-require-drop-all - policyName: disallow-privilege-escalation ruleNames: - privilege-escalation @@ -62,4 +62,4 @@ spec: - {{ .Release.Namespace }} names: - vsphere-csi* -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/cloud-provider-vsphere/charts/vsphere-csi-driver/values.yaml b/helm/cloud-provider-vsphere/charts/vsphere-csi-driver/values.yaml index c02ea43..e8b1a37 100644 --- a/helm/cloud-provider-vsphere/charts/vsphere-csi-driver/values.yaml +++ b/helm/cloud-provider-vsphere/charts/vsphere-csi-driver/values.yaml @@ -53,3 +53,9 @@ storageClass: isDefault: false vcdStorageProfileName: "vSAN Default Storage Policy" fileSystem: "ext4" + +containerSecurityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/helm/cloud-provider-vsphere/templates/crd-install/crd-configmap.yaml b/helm/cloud-provider-vsphere/templates/crd-install/crd-configmap.yaml index f2c5f86..243a38e 100644 --- a/helm/cloud-provider-vsphere/templates/crd-install/crd-configmap.yaml +++ b/helm/cloud-provider-vsphere/templates/crd-install/crd-configmap.yaml @@ -24,4 +24,4 @@ data: {{ tpl ($.Files.Get $path) . | indent 4 }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/cloud-provider-vsphere/templates/crd-install/crd-job.yaml b/helm/cloud-provider-vsphere/templates/crd-install/crd-job.yaml index 61d6af5..bddc16a 100644 --- a/helm/cloud-provider-vsphere/templates/crd-install/crd-job.yaml +++ b/helm/cloud-provider-vsphere/templates/crd-install/crd-job.yaml @@ -37,7 +37,7 @@ spec: operator: Exists containers: - name: kubectl - image: "{{ .Values.crdInstall.kubectl.registry }}/{{ .Values.crdInstall.kubectl.image }}:{{ .Values.crdInstall.kubectl.tag }}" + image: "{{ .Values.global.crdInstall.kubectl.registry }}/{{ .Values.global.crdInstall.kubectl.image }}:{{ .Values.global.crdInstall.kubectl.tag }}" command: - sh - -c @@ -57,7 +57,6 @@ spec: mountPath: /data/{{ $path | base }} subPath: {{ $path | base }} {{- end }} - resources: {{- toYaml .Values.crdInstall.resources | nindent 10 }} volumes: {{ $currentScope := . }} {{- range $path, $_ := .Files.Glob "files/**" }} diff --git a/helm/cloud-provider-vsphere/templates/crd-install/crd-netpol.yaml b/helm/cloud-provider-vsphere/templates/crd-install/crd-netpol.yaml index 97e899a..c375529 100644 --- a/helm/cloud-provider-vsphere/templates/crd-install/crd-netpol.yaml +++ b/helm/cloud-provider-vsphere/templates/crd-install/crd-netpol.yaml @@ -33,4 +33,4 @@ spec: policyTypes: - Egress - Ingress -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/cloud-provider-vsphere/templates/crd-install/crd-rbac.yaml b/helm/cloud-provider-vsphere/templates/crd-install/crd-rbac.yaml index 5d51797..2675a88 100644 --- a/helm/cloud-provider-vsphere/templates/crd-install/crd-rbac.yaml +++ b/helm/cloud-provider-vsphere/templates/crd-install/crd-rbac.yaml @@ -61,4 +61,4 @@ subjects: - kind: ServiceAccount name: {{ include "crdInstall" . }} namespace: {{ .Release.Namespace | quote }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/cloud-provider-vsphere/templates/crd-install/crd-serviceaccount.yaml b/helm/cloud-provider-vsphere/templates/crd-install/crd-serviceaccount.yaml index 57edf33..bf2caea 100644 --- a/helm/cloud-provider-vsphere/templates/crd-install/crd-serviceaccount.yaml +++ b/helm/cloud-provider-vsphere/templates/crd-install/crd-serviceaccount.yaml @@ -10,6 +10,6 @@ metadata: {{- include "crdInstallAnnotations" . | nindent 4 }} labels: app.kubernetes.io/component: {{ include "crdInstall" . | quote }} - {{- include "labels.selector" . | nindent 4 }} + {{- include "labels.crdSelector" . | nindent 4 }} role: {{ include "crdInstallSelector" . | quote }} {{- end }}