Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Support security context (#1437) #1733

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+29 −2
Open

Feature: Support security context (#1437) #1733

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions manifest_staging/charts/secrets-store-csi-driver/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` |
| `linux.image.tag` | Linux image tag | `v1.4.7` |
| `linux.image.digest` | Linux image digest, image pull from digest instead of tag if specified | `""` |
| `linux.podSecurityContext` | Linux pod security context | `{}` |
| `linux.securityContext` | Linux secrets-store container security context | `{"privileged": "true"}` |
| `linux.crds.enabled` | If the CRDs should be managed by the chart | `true` |
| `linux.crds.image.repository` | Linux crds image repository | `registry.k8s.io/csi-secrets-store/driver-crds` |
| `linux.crds.image.pullPolicy` | Linux crds image pull policy | `IfNotPresent` |
Expand All @@ -55,12 +57,14 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `linux.registrarImage.tag` | Linux node-driver-registrar image tag | `v2.11.1` |
| `linux.registrarImage.digest` | Linux node-driver-registrar image digest, image pull from digest instead of tag if specified | `""` |
| `linux.registrar.resources` | The resource request/limits for the linux node-driver-registrar container image | `limits: 100m CPU, 100Mi; requests: 10m CPU, 20Mi` |
| `linux.registrar.securityContext` | The security context for the linux node-driver-registrar container image | `{}` |
| `linux.registrar.logVerbosity` | Log level for node-driver-registrar. Uses V logs (klog) | `5` |
| `linux.livenessProbeImage.repository` | Linux liveness-probe image repository | `registry.k8s.io/sig-storage/livenessprobe` |
| `linux.livenessProbeImage.pullPolicy` | Linux liveness-probe image pull policy | `IfNotPresent` |
| `linux.livenessProbeImage.tag` | Linux liveness-probe image tag | `v2.13.1` |
| `linux.livenessProbeImage.digest` | Linux liveness-probe image digest, image pull from digest instead of tag if specified | `""` |
| `linux.livenessProbe.resources` | The resource request/limits for the linux liveness-probe container image | `limits: 100m CPU, 100Mi; requests: 10m CPU, 20Mi` |
| `linux.livenessProbe.securityContext` | The security context for the linux liveness-probe container | `{}` |
| `linux.env` | Environment variables to be passed for the daemonset on linux nodes | `[]` |
| `linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` |
| `linux.crds.annotations` | Linux *helm hook* annotations | `{}` |
Expand Down
18 changes: 17 additions & 1 deletion manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,12 @@ spec:
{{- end }}
affinity:
{{ toYaml .Values.linux.affinity | indent 8 }}
{{- if .Values.linux.podSecurityContext }}
securityContext:
{{- with .Values.linux.podSecurityContext }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
containers:
- name: node-driver-registrar
{{- if .Values.linux.registrarImage.digest }}
Expand All @@ -48,6 +54,10 @@ spec:
- --csi-address=/csi/csi.sock
- --kubelet-registration-path={{ .Values.linux.kubeletRootDir }}/plugins/csi-secrets-store/csi.sock
imagePullPolicy: {{ .Values.linux.registrarImage.pullPolicy }}
{{- if .Values.linux.registrar.securityContext }}
securityContext:
{{- toYaml .Values.linux.registrar.securityContext | nindent 12}}
{{- end }}
volumeMounts:
- name: plugin-dir
mountPath: /csi
Expand Down Expand Up @@ -103,7 +113,9 @@ spec:
fieldPath: spec.nodeName
imagePullPolicy: {{ .Values.linux.image.pullPolicy }}
securityContext:
privileged: true
{{- with .Values.linux.securityContext }}
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- containerPort: {{ .Values.livenessProbe.port }}
name: healthz
Expand Down Expand Up @@ -148,6 +160,10 @@ spec:
image: "{{ .Values.linux.livenessProbeImage.repository }}:{{ .Values.linux.livenessProbeImage.tag }}"
{{- end }}
imagePullPolicy: {{ .Values.linux.livenessProbeImage.pullPolicy }}
{{- if .Values.linux.livenessProbe.securityContext }}
securityContext:
{{- toYaml .Values.linux.livenessProbe.securityContext | nindent 12 }}
{{- end }}
args:
- --csi-address=/csi/csi.sock
- --probe-timeout=3s
Expand Down
9 changes: 8 additions & 1 deletion manifest_staging/charts/secrets-store-csi-driver/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ linux:
#digest: sha256:
pullPolicy: IfNotPresent

# Pod security context
podSecurityContext: {}

crds:
enabled: true
image:
Expand All @@ -22,6 +25,9 @@ linux:
# memory: "512Mi"
annotations: {}
podLabels: {}
# The secrets-store container security context
securityContext:
privileged: true

## Prevent the CSI driver from being scheduled on virtual-kubelet nodes
affinity:
Expand Down Expand Up @@ -58,7 +64,7 @@ linux:
cpu: 10m
memory: 20Mi
logVerbosity: 5

securityContext: {}
livenessProbeImage:
repository: registry.k8s.io/sig-storage/livenessprobe
tag: v2.13.1
Expand All @@ -73,6 +79,7 @@ linux:
requests:
cpu: 10m
memory: 20Mi
securityContext: {}

updateStrategy:
type: RollingUpdate
Expand Down