From 5ef01456369de0be9de53d229359d67c91574879 Mon Sep 17 00:00:00 2001 From: Dentrax Date: Mon, 20 Jan 2025 14:37:05 +0300 Subject: [PATCH] helm: add support to override securityContext Signed-off-by: Dentrax --- .local/debug-driver.yaml | 24 +++++++++++++++++++ deploy/secrets-store-csi-driver-windows.yaml | 24 +++++++++++++++++++ deploy/secrets-store-csi-driver.yaml | 24 +++++++++++++++++++ .../secrets-store-csi-driver-windows.yaml | 16 +++++++++++++ .../templates/secrets-store-csi-driver.yaml | 16 +++++++++++++ .../secrets-store-csi-driver/values.yaml | 17 ++++++++++++- 6 files changed, 120 insertions(+), 1 deletion(-) diff --git a/.local/debug-driver.yaml b/.local/debug-driver.yaml index a542da584..4b2710296 100644 --- a/.local/debug-driver.yaml +++ b/.local/debug-driver.yaml @@ -41,6 +41,14 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true - name: liveness-probe image: registry.k8s.io/sig-storage/livenessprobe:v2.3.0 imagePullPolicy: IfNotPresent @@ -59,6 +67,14 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true volumes: - name: mountpoint-dir hostPath: @@ -118,6 +134,14 @@ spec: requests: cpu: 250m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true volumes: - name: driver-volume persistentVolumeClaim: diff --git a/deploy/secrets-store-csi-driver-windows.yaml b/deploy/secrets-store-csi-driver-windows.yaml index caa752aba..8b159041a 100644 --- a/deploy/secrets-store-csi-driver-windows.yaml +++ b/deploy/secrets-store-csi-driver-windows.yaml @@ -35,6 +35,14 @@ spec: requests: cpu: 100m memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true - name: secrets-store image: registry.k8s.io/csi-secrets-store/driver:v1.4.7 args: @@ -84,6 +92,14 @@ spec: mountPath: "C:\\var\\lib\\kubelet\\pods" - name: providers-dir mountPath: C:\k\secrets-store-csi-providers + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true - name: liveness-probe image: registry.k8s.io/sig-storage/livenessprobe:v2.13.1 imagePullPolicy: IfNotPresent @@ -102,6 +118,14 @@ spec: requests: cpu: 100m memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true volumes: - name: mountpoint-dir hostPath: diff --git a/deploy/secrets-store-csi-driver.yaml b/deploy/secrets-store-csi-driver.yaml index 7375762a1..c91316c68 100644 --- a/deploy/secrets-store-csi-driver.yaml +++ b/deploy/secrets-store-csi-driver.yaml @@ -35,6 +35,14 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true - name: secrets-store image: registry.k8s.io/csi-secrets-store/driver:v1.4.7 args: @@ -90,6 +98,14 @@ spec: requests: cpu: 50m memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true - name: liveness-probe image: registry.k8s.io/sig-storage/livenessprobe:v2.13.1 imagePullPolicy: IfNotPresent @@ -108,6 +124,14 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true volumes: - name: mountpoint-dir hostPath: diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml index b7e4f0623..d69b42314 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml +++ b/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml @@ -53,6 +53,10 @@ spec: mountPath: C:\csi - name: registration-dir mountPath: C:\registration + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} {{- with .Values.windows.registrar.resources }} resources: {{ toYaml . | indent 12 }} @@ -134,6 +138,10 @@ spec: {{- if .Values.windows.volumeMounts }} {{- toYaml .Values.windows.volumeMounts | nindent 12 }} {{- end }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} {{- with .Values.windows.driver.resources }} resources: {{ toYaml . | indent 12 }} @@ -153,6 +161,10 @@ spec: volumeMounts: - name: plugin-dir mountPath: C:\csi + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} {{- with .Values.windows.livenessProbe.resources }} resources: {{ toYaml . | indent 12 }} @@ -160,6 +172,10 @@ spec: {{- if .Values.windows.priorityClassName }} priorityClassName: {{ .Values.windows.priorityClassName | quote }} {{- end }} + {{- if .Values.podSecurityContext }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} volumes: - name: mountpoint-dir hostPath: diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml index 60566d941..3d249bc35 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml +++ b/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml @@ -53,6 +53,10 @@ spec: mountPath: /csi - name: registration-dir mountPath: /registration + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} {{- with .Values.linux.registrar.resources }} resources: {{ toYaml . | indent 12 }} @@ -137,6 +141,10 @@ spec: {{- if .Values.linux.volumeMounts }} {{- toYaml .Values.linux.volumeMounts | nindent 12 }} {{- end }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} {{- with .Values.linux.driver.resources }} resources: {{ toYaml . | indent 12 }} @@ -156,6 +164,10 @@ spec: volumeMounts: - name: plugin-dir mountPath: /csi + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} {{- with .Values.linux.livenessProbe.resources }} resources: {{ toYaml . | indent 12 }} @@ -163,6 +175,10 @@ spec: {{- if .Values.linux.priorityClassName }} priorityClassName: {{ .Values.linux.priorityClassName | quote }} {{- end }} + {{- if .Values.podSecurityContext }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} volumes: - name: mountpoint-dir hostPath: diff --git a/manifest_staging/charts/secrets-store-csi-driver/values.yaml b/manifest_staging/charts/secrets-store-csi-driver/values.yaml index e734e6764..3fe886593 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/values.yaml +++ b/manifest_staging/charts/secrets-store-csi-driver/values.yaml @@ -13,7 +13,8 @@ linux: tag: v1.4.7 pullPolicy: IfNotPresent ## Optionally override resource limits for crd hooks(jobs) - resources: {} + resources: + {} # requests: # cpu: "100m" # memory: "128Mi" @@ -242,3 +243,17 @@ tokenRequests: [] # -- Labels to apply to all resources commonLabels: {} # team_name: dev + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +# podSecurityContext -- [Security context for Pod](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) +podSecurityContext: + # fsGroup: 1000