diff --git a/manifest_staging/charts/secrets-store-csi-driver/README.md b/manifest_staging/charts/secrets-store-csi-driver/README.md index a8b749f3c..7cb05e9e9 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/README.md +++ b/manifest_staging/charts/secrets-store-csi-driver/README.md @@ -35,6 +35,8 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | | `linux.image.tag` | Linux image tag | `v1.4.7` | | `linux.image.digest` | Linux image digest, image pull from digest instead of tag if specified | `""` | +| `linux.podSecurityContext` | Linux pod security context | `{}` | +| `linux.securityContext` | Linux secrets-store container security context | `{"privileged": "true"}` | | `linux.crds.enabled` | If the CRDs should be managed by the chart | `true` | | `linux.crds.image.repository` | Linux crds image repository | `registry.k8s.io/csi-secrets-store/driver-crds` | | `linux.crds.image.pullPolicy` | Linux crds image pull policy | `IfNotPresent` | @@ -55,12 +57,14 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.registrarImage.tag` | Linux node-driver-registrar image tag | `v2.11.1` | | `linux.registrarImage.digest` | Linux node-driver-registrar image digest, image pull from digest instead of tag if specified | `""` | | `linux.registrar.resources` | The resource request/limits for the linux node-driver-registrar container image | `limits: 100m CPU, 100Mi; requests: 10m CPU, 20Mi` | +| `linux.registrar.securityContext` | The security context for the linux node-driver-registrar container image | `{}` | | `linux.registrar.logVerbosity` | Log level for node-driver-registrar. Uses V logs (klog) | `5` | | `linux.livenessProbeImage.repository` | Linux liveness-probe image repository | `registry.k8s.io/sig-storage/livenessprobe` | | `linux.livenessProbeImage.pullPolicy` | Linux liveness-probe image pull policy | `IfNotPresent` | | `linux.livenessProbeImage.tag` | Linux liveness-probe image tag | `v2.13.1` | | `linux.livenessProbeImage.digest` | Linux liveness-probe image digest, image pull from digest instead of tag if specified | `""` | | `linux.livenessProbe.resources` | The resource request/limits for the linux liveness-probe container image | `limits: 100m CPU, 100Mi; requests: 10m CPU, 20Mi` | +| `linux.livenessProbe.securityContext` | The security context for the linux liveness-probe container | `{}` | | `linux.env` | Environment variables to be passed for the daemonset on linux nodes | `[]` | | `linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` | | `linux.crds.annotations` | Linux *helm hook* annotations | `{}` | diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml index 60566d941..8f033db50 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml +++ b/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml @@ -36,6 +36,12 @@ spec: {{- end }} affinity: {{ toYaml .Values.linux.affinity | indent 8 }} + {{- if .Values.linux.podSecurityContext }} + securityContext: + {{- with .Values.linux.podSecurityContext }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} containers: - name: node-driver-registrar {{- if .Values.linux.registrarImage.digest }} @@ -48,6 +54,10 @@ spec: - --csi-address=/csi/csi.sock - --kubelet-registration-path={{ .Values.linux.kubeletRootDir }}/plugins/csi-secrets-store/csi.sock imagePullPolicy: {{ .Values.linux.registrarImage.pullPolicy }} + {{- if .Values.linux.registrar.securityContext }} + securityContext: + {{- toYaml .Values.linux.registrar.securityContext | nindent 12}} + {{- end }} volumeMounts: - name: plugin-dir mountPath: /csi @@ -103,7 +113,9 @@ spec: fieldPath: spec.nodeName imagePullPolicy: {{ .Values.linux.image.pullPolicy }} securityContext: - privileged: true + {{- with .Values.linux.securityContext }} + {{- toYaml . | nindent 12 }} + {{- end }} ports: - containerPort: {{ .Values.livenessProbe.port }} name: healthz @@ -148,6 +160,10 @@ spec: image: "{{ .Values.linux.livenessProbeImage.repository }}:{{ .Values.linux.livenessProbeImage.tag }}" {{- end }} imagePullPolicy: {{ .Values.linux.livenessProbeImage.pullPolicy }} + {{- if .Values.linux.livenessProbe.securityContext }} + securityContext: + {{- toYaml .Values.linux.livenessProbe.securityContext | nindent 12 }} + {{- end }} args: - --csi-address=/csi/csi.sock - --probe-timeout=3s diff --git a/manifest_staging/charts/secrets-store-csi-driver/values.yaml b/manifest_staging/charts/secrets-store-csi-driver/values.yaml index e734e6764..491dce240 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/values.yaml +++ b/manifest_staging/charts/secrets-store-csi-driver/values.yaml @@ -6,6 +6,9 @@ linux: #digest: sha256: pullPolicy: IfNotPresent + # Pod security context + podSecurityContext: {} + crds: enabled: true image: @@ -22,6 +25,9 @@ linux: # memory: "512Mi" annotations: {} podLabels: {} + # The secrets-store container security context + securityContext: + privileged: true ## Prevent the CSI driver from being scheduled on virtual-kubelet nodes affinity: @@ -58,7 +64,7 @@ linux: cpu: 10m memory: 20Mi logVerbosity: 5 - + securityContext: {} livenessProbeImage: repository: registry.k8s.io/sig-storage/livenessprobe tag: v2.13.1 @@ -73,6 +79,7 @@ linux: requests: cpu: 10m memory: 20Mi + securityContext: {} updateStrategy: type: RollingUpdate