Skip to content

Commit

Permalink
Improve securityContext implementation
Browse files Browse the repository at this point in the history 
Signed-off-by: hanenMizouni <[email protected]>
  • Loading branch information
@outscale-hmi
outscale-hmi committed Oct 8, 2024
1 parent c2fe035 commit bebe865
Show file tree
Hide file tree
Showing 3 changed files with 72 additions and 4 deletions.
28 changes: 28 additions & 0 deletions osc-bsu-csi-driver/templates/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: osc-plugin
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
Expand Down Expand Up @@ -134,6 +138,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: csi-provisioner
image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }}
args:
Expand Down Expand Up @@ -189,6 +197,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.provisionerImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: csi-attacher
image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }}
args:
Expand Down Expand Up @@ -237,6 +249,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.attacherImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.enableVolumeSnapshot }}
- name: csi-snapshotter
image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }}
Expand Down Expand Up @@ -284,6 +300,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.snapshotterImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.enableVolumeResizing }}
- name: csi-resizer
Expand Down Expand Up @@ -335,6 +355,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.resizerImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
- name: liveness-probe
image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }}
Expand All @@ -347,6 +371,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.livenessProbeImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: socket-dir
emptyDir: {}
Expand Down
19 changes: 17 additions & 2 deletions osc-bsu-csi-driver/templates/node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,12 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.node.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: osc-plugin
securityContext:
privileged: true
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
Expand Down Expand Up @@ -91,6 +93,11 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.node.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}

- name: node-driver-registrar
image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }}
args:
Expand Down Expand Up @@ -126,6 +133,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.nodeDriverRegistrarImage.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: liveness-probe
image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }}
args:
Expand All @@ -137,6 +148,10 @@ spec:
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.livenessProbe.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: kubelet-dir
hostPath:
Expand Down
29 changes: 27 additions & 2 deletions osc-bsu-csi-driver/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@ sidecars:
enableLivenessProbe: false
# -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration)
leaderElection: {}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
additionalArgs: []
# Grant additional permissions to external-provisioner
additionalClusterRoleRules:
Expand All @@ -57,6 +60,9 @@ sidecars:
enableLivenessProbe: false
# -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration)
leaderElection: {}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
additionalArgs: []
# Grant additional permissions to external-provisioner
additionalClusterRoleRules:
Expand All @@ -71,6 +77,9 @@ sidecars:
enableLivenessProbe: false
# -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration)
leaderElection: {}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
additionalArgs: []
# Grant additional permissions to external-provisioner
additionalClusterRoleRules:
Expand All @@ -79,6 +88,9 @@ sidecars:
tag: "v2.14.0"
# -- Port of the liveness of the main container
port: "9808"
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
resizerImage:
repository: registry.k8s.io/sig-storage/csi-resizer
tag: "v1.12.0"
Expand All @@ -90,6 +102,9 @@ sidecars:
enableLivenessProbe: false
# -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration)
leaderElection: {}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
additionalArgs: []
# Grant additional permissions to external-provisioner
additionalClusterRoleRules:
Expand All @@ -102,6 +117,10 @@ sidecars:
httpEndpointPort: "8093"
# -- Enable liveness probe for the container
enableLivenessProbe: false
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false


# -- Specify image pull secrets
imagePullSecrets: []
Expand Down Expand Up @@ -142,7 +161,10 @@ resources:
# requests:
# cpu: 100m
# memory: 128Mi

# securityContext on the node container (see sidecars for securityContext on sidecar containers)
containerSecurityContext:
readOnlyRootFilesystem: true
privileged: true
nodeSelector: {}

#@ignored
Expand Down Expand Up @@ -187,7 +209,10 @@ node:
tolerateAllTaints: true
# -- Pod tolerations
tolerations: []

# securityContext on the controller container (see sidecars for securityContext on sidecar containers)
containerSecurityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
serviceAccount:
controller:
# -- Annotations to add to the Controller ServiceAccount
Expand Down

0 comments on commit bebe865

Please sign in to comment.