From 3e58b9a03e2349bb98d266f464f7104febba98ab Mon Sep 17 00:00:00 2001 From: hanenMizouni Date: Tue, 8 Oct 2024 16:11:28 +0000 Subject: [PATCH] Improve securityContext implementation Signed-off-by: hanenMizouni --- osc-bsu-csi-driver/templates/controller.yaml | 28 +++++++++++++++ osc-bsu-csi-driver/templates/node.yaml | 19 ++++++++-- osc-bsu-csi-driver/values.yaml | 38 ++++++++++++++++++-- 3 files changed, 81 insertions(+), 4 deletions(-) diff --git a/osc-bsu-csi-driver/templates/controller.yaml b/osc-bsu-csi-driver/templates/controller.yaml index 5ea8ec30..fd593785 100644 --- a/osc-bsu-csi-driver/templates/controller.yaml +++ b/osc-bsu-csi-driver/templates/controller.yaml @@ -47,6 +47,10 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: osc-plugin image: {{ .Values.image.repository }}:{{ .Values.image.tag }} @@ -134,6 +138,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} - name: csi-provisioner image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }} args: @@ -189,6 +197,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.provisionerImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} - name: csi-attacher image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }} args: @@ -237,6 +249,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.attacherImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} {{- if .Values.enableVolumeSnapshot }} - name: csi-snapshotter image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }} @@ -284,6 +300,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.snapshotterImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} {{- end }} {{- if .Values.enableVolumeResizing }} - name: csi-resizer @@ -335,6 +355,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.resizerImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} {{- end }} - name: liveness-probe image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} @@ -347,6 +371,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.livenessProbeImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} volumes: - name: socket-dir emptyDir: {} diff --git a/osc-bsu-csi-driver/templates/node.yaml b/osc-bsu-csi-driver/templates/node.yaml index 7c8d6530..3b92061c 100644 --- a/osc-bsu-csi-driver/templates/node.yaml +++ b/osc-bsu-csi-driver/templates/node.yaml @@ -44,10 +44,12 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.node.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: osc-plugin - securityContext: - privileged: true image: {{ .Values.image.repository }}:{{ .Values.image.tag }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: @@ -91,6 +93,11 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.node.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + - name: node-driver-registrar image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }} args: @@ -126,6 +133,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.nodeDriverRegistrarImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} - name: liveness-probe image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} args: @@ -137,6 +148,10 @@ spec: {{- with .Values.resources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + {{- with .Values.sidecars.livenessProbeImage.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} volumes: - name: kubelet-dir hostPath: diff --git a/osc-bsu-csi-driver/values.yaml b/osc-bsu-csi-driver/values.yaml index d593f8a1..8c7cd306 100644 --- a/osc-bsu-csi-driver/values.yaml +++ b/osc-bsu-csi-driver/values.yaml @@ -43,6 +43,11 @@ sidecars: enableLivenessProbe: false # -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration) leaderElection: {} + securityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false additionalArgs: [] # Grant additional permissions to external-provisioner additionalClusterRoleRules: @@ -57,6 +62,11 @@ sidecars: enableLivenessProbe: false # -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration) leaderElection: {} + securityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false additionalArgs: [] # Grant additional permissions to external-provisioner additionalClusterRoleRules: @@ -71,6 +81,11 @@ sidecars: enableLivenessProbe: false # -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration) leaderElection: {} + securityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false additionalArgs: [] # Grant additional permissions to external-provisioner additionalClusterRoleRules: @@ -79,6 +94,11 @@ sidecars: tag: "v2.14.0" # -- Port of the liveness of the main container port: "9808" + securityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false resizerImage: repository: registry.k8s.io/sig-storage/csi-resizer tag: "v1.12.0" @@ -90,6 +110,11 @@ sidecars: enableLivenessProbe: false # -- Customize leaderElection, you can specify `leaseDuration`, `renewDeadline` and/or `retryPeriod`. Each value must be in an acceptable time.ParseDuration format.(Ref: https://pkg.go.dev/flag#Duration) leaderElection: {} + securityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false additionalArgs: [] # Grant additional permissions to external-provisioner additionalClusterRoleRules: @@ -102,6 +127,12 @@ sidecars: httpEndpointPort: "8093" # -- Enable liveness probe for the container enableLivenessProbe: false + securityContext: + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + # -- Specify image pull secrets imagePullSecrets: [] @@ -142,7 +173,6 @@ resources: # requests: # cpu: 100m # memory: 128Mi - nodeSelector: {} #@ignored @@ -187,7 +217,11 @@ node: tolerateAllTaints: true # -- Pod tolerations tolerations: [] - + # Privileged containers always run as `Unconfined`, which means that they are not restricted by a seccomp profile. + containerSecurityContext: + readOnlyRootFilesystem: true + privileged: true + allowPrivilegeEscalation: true serviceAccount: controller: # -- Annotations to add to the Controller ServiceAccount