From 016cd4ef35dff31cfda0b5ceb7fcea7adc013b58 Mon Sep 17 00:00:00 2001 From: hanenMizouni Date: Tue, 8 Oct 2024 16:11:28 +0000 Subject: [PATCH] Improve securityContext implementation Signed-off-by: hanenMizouni --- osc-bsu-csi-driver/templates/controller.yaml | 28 +++++++++++++ osc-bsu-csi-driver/templates/node.yaml | 17 ++++++++ osc-bsu-csi-driver/values.yaml | 43 +++++++++++++++++++- 3 files changed, 86 insertions(+), 2 deletions(-) diff --git a/osc-bsu-csi-driver/templates/controller.yaml b/osc-bsu-csi-driver/templates/controller.yaml index b1562d3a..8a1b845a 100644 --- a/osc-bsu-csi-driver/templates/controller.yaml +++ b/osc-bsu-csi-driver/templates/controller.yaml @@ -47,6 +47,10 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: ebs-plugin image: {{ .Values.image.repository }}:{{ .Values.image.tag }} @@ -134,6 +138,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} - name: csi-provisioner image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }} args: @@ -189,6 +197,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.provisionerImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} - name: csi-attacher image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }} args: @@ -237,6 +249,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.attacherImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} {{- if .Values.enableVolumeSnapshot }} - name: csi-snapshotter image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }} @@ -284,6 +300,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.snapshotterImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} {{- end }} {{- if .Values.enableVolumeResizing }} - name: csi-resizer @@ -335,6 +355,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.resizerImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} {{- end }} - name: liveness-probe image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} @@ -346,6 +370,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.livenessProbeImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} volumes: - name: socket-dir emptyDir: {} diff --git a/osc-bsu-csi-driver/templates/node.yaml b/osc-bsu-csi-driver/templates/node.yaml index befdc1bf..73ff7eea 100644 --- a/osc-bsu-csi-driver/templates/node.yaml +++ b/osc-bsu-csi-driver/templates/node.yaml @@ -53,6 +53,10 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.node.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: ebs-plugin securityContext: @@ -100,6 +104,11 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.node.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + - name: node-driver-registrar image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }} args: @@ -135,6 +144,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.nodeDriverRegistrarImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} - name: liveness-probe image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} args: @@ -145,6 +158,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.livenessProbeImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} volumes: - name: kubelet-dir hostPath: diff --git a/osc-bsu-csi-driver/values.yaml b/osc-bsu-csi-driver/values.yaml index 37e3950a..b3caa33b 100644 --- a/osc-bsu-csi-driver/values.yaml +++ b/osc-bsu-csi-driver/values.yaml @@ -45,6 +45,11 @@ sidecars: enableLivenessProbe: false # -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration) leaderElection: {} + securityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false additionalArgs: [] # Grant additional permissions to external-provisioner additionalClusterRoleRules: @@ -59,6 +64,11 @@ sidecars: enableLivenessProbe: false # -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration) leaderElection: {} + securityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false additionalArgs: [] # Grant additional permissions to external-provisioner additionalClusterRoleRules: @@ -73,6 +83,11 @@ sidecars: enableLivenessProbe: false # -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration) leaderElection: {} + securityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false additionalArgs: [] # Grant additional permissions to external-provisioner additionalClusterRoleRules: @@ -81,6 +96,11 @@ sidecars: tag: "v2.13.1" # -- Port of the liveness of the main container port: "9808" + securityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false resizerImage: repository: registry.k8s.io/sig-storage/csi-resizer tag: "v1.11.2" @@ -92,6 +112,11 @@ sidecars: enableLivenessProbe: false # -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration) leaderElection: {} + securityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false additionalArgs: [] # Grant additional permissions to external-provisioner additionalClusterRoleRules: @@ -104,6 +129,12 @@ sidecars: httpEndpointPort: "8093" # -- Enable liveness probe for the container enableLivenessProbe: false + securityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + # -- Specify image pull secrets imagePullSecrets: [] @@ -144,7 +175,6 @@ resources: # requests: # cpu: 100m # memory: 128Mi - nodeSelector: {} #@ignored @@ -189,11 +219,20 @@ node: tolerateAllTaints: true # -- Pod tolerations tolerations: [] - + # Privileged containers always run as `Unconfined`, which means that they are not restricted by a seccomp profile. + containerSecurityContext: + readOnlyRootFilesystem: true + privileged: true serviceAccount: controller: # -- Annotations to add to the Controller ServiceAccount annotations: {} + # securityContext on the controller container (see sidecars for securityContext on sidecar containers) + containerSecurityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false snapshot: # -- Annotations to add to the Snapshot ServiceAccount annotations: {}