Skip to content

Commit

Permalink
Improve securityContext implementation
Browse files Browse the repository at this point in the history
Signed-off-by: hanenMizouni <[email protected]>
  • Loading branch information
outscale-hmi committed Oct 9, 2024
1 parent 5b599c6 commit 8f4cfaf
Show file tree
Hide file tree
Showing 4 changed files with 82 additions and 5 deletions.
28 changes: 28 additions & 0 deletions osc-bsu-csi-driver/templates/controller.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: osc-plugin
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
Expand Down Expand Up @@ -134,6 +138,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: csi-provisioner
image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }}
args:
Expand Down Expand Up @@ -189,6 +197,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.provisionerImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: csi-attacher
image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }}
args:
Expand Down Expand Up @@ -237,6 +249,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.attacherImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.enableVolumeSnapshot }}
- name: csi-snapshotter
image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }}
Expand Down Expand Up @@ -284,6 +300,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.snapshotterImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.enableVolumeResizing }}
- name: csi-resizer
Expand Down Expand Up @@ -335,6 +355,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.resizerImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
- name: liveness-probe
image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }}
Expand All @@ -347,6 +371,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.livenessProbeImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: socket-dir
emptyDir: {}
Expand Down
19 changes: 17 additions & 2 deletions osc-bsu-csi-driver/templates/node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,12 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.node.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: osc-plugin
securityContext:
privileged: true
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
Expand Down Expand Up @@ -91,6 +93,11 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.node.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}

- name: node-driver-registrar
image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }}
args:
Expand Down Expand Up @@ -126,6 +133,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.nodeDriverRegistrarImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: liveness-probe
image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }}
args:
Expand All @@ -137,6 +148,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.livenessProbeImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: kubelet-dir
hostPath:
Expand Down
38 changes: 36 additions & 2 deletions osc-bsu-csi-driver/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,11 @@ sidecars:
enableLivenessProbe: false
# -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration)
leaderElection: {}
securityContext:
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
additionalArgs: []
# Grant additional permissions to external-provisioner
additionalClusterRoleRules:
Expand All @@ -57,6 +62,11 @@ sidecars:
enableLivenessProbe: false
# -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration)
leaderElection: {}
securityContext:
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
additionalArgs: []
# Grant additional permissions to external-provisioner
additionalClusterRoleRules:
Expand All @@ -71,6 +81,11 @@ sidecars:
enableLivenessProbe: false
# -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration)
leaderElection: {}
securityContext:
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
additionalArgs: []
# Grant additional permissions to external-provisioner
additionalClusterRoleRules:
Expand All @@ -79,6 +94,11 @@ sidecars:
tag: "v2.14.0"
# -- Port of the liveness of the main container
port: "9808"
securityContext:
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
resizerImage:
repository: registry.k8s.io/sig-storage/csi-resizer
tag: "v1.12.0"
Expand All @@ -90,6 +110,11 @@ sidecars:
enableLivenessProbe: false
# -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration)
leaderElection: {}
securityContext:
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
additionalArgs: []
# Grant additional permissions to external-provisioner
additionalClusterRoleRules:
Expand All @@ -102,6 +127,12 @@ sidecars:
httpEndpointPort: "8093"
# -- Enable liveness probe for the container
enableLivenessProbe: false
securityContext:
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false


# -- Specify image pull secrets
imagePullSecrets: []
Expand Down Expand Up @@ -142,7 +173,6 @@ resources:
# requests:
# cpu: 100m
# memory: 128Mi

nodeSelector: {}

#@ignored
Expand Down Expand Up @@ -187,7 +217,11 @@ node:
tolerateAllTaints: true
# -- Pod tolerations
tolerations: []

# Privileged containers always run as `Unconfined`, which means that they are not restricted by a seccomp profile.
containerSecurityContext:
readOnlyRootFilesystem: true
privileged: true
allowPrivilegeEscalation: true
serviceAccount:
controller:
# -- Annotations to add to the Controller ServiceAccount
Expand Down
2 changes: 1 addition & 1 deletion tests/e2e/testsuites/testsuites.go
Original file line number Diff line number Diff line change
Expand Up @@ -336,7 +336,7 @@ func (t *TestPersistentVolumeClaim) Cleanup() {
// in a couple of minutes.
if t.persistentVolume != nil && t.persistentVolume.Spec.PersistentVolumeReclaimPolicy == v1.PersistentVolumeReclaimDelete {
By(fmt.Sprintf("waiting for claim's PV %q to be deleted", t.persistentVolume.Name))
err := e2epv.WaitForPersistentVolumeDeleted(context.Background(), t.client, t.persistentVolume.Name, 5*time.Second, 10*time.Minute)
err := e2epv.WaitForPersistentVolumeDeleted(context.Background(), t.client, t.persistentVolume.Name, 5*time.Second, 20*time.Minute)
framework.ExpectNoError(err)
}
// Wait for the PVC to be deleted
Expand Down

0 comments on commit 8f4cfaf

Please sign in to comment.