Skip to content

Commit 3a9589c

Browse files
ashimagarg27ashimagarg27
authored
Merge branch 'main' into ashima
2 parents 808218b + 5a6b292 commit 3a9589c

File tree

2 files changed

+20
-11
lines changed

2 files changed

+20
-11
lines changed

controllers/syncer/csi_controller.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -83,10 +83,10 @@ func (s *csiControllerSyncer) ensurePodSpec() corev1.PodSpec {
8383
return corev1.PodSpec{
8484
Containers: s.ensureContainersSpec(),
8585
Volumes: s.ensureVolumes(),
86-
// SecurityContext: &corev1.PodSecurityContext{
87-
// FSGroup: &fsGroup,
88-
// RunAsUser: &fsGroup,
89-
// },
86+
SecurityContext: &corev1.PodSecurityContext{
87+
RunAsNonRoot: util.True(),
88+
RunAsUser: func(uid int64) *int64 { return &uid }(2121),
89+
},
9090
Affinity: s.driver.Spec.Controller.Affinity,
9191
Tolerations: s.driver.Spec.Controller.Tolerations,
9292
ServiceAccountName: constants.GetResourceName(constants.CSIControllerServiceAccount),

controllers/syncer/csi_node.go

Lines changed: 16 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -81,8 +81,12 @@ func (s *csiNodeSyncer) SyncFn() error {
8181

8282
func (s *csiNodeSyncer) ensurePodSpec() corev1.PodSpec {
8383
return corev1.PodSpec{
84-
Containers: s.ensureContainersSpec(),
85-
Volumes: s.ensureVolumes(),
84+
Containers: s.ensureContainersSpec(),
85+
Volumes: s.ensureVolumes(),
86+
SecurityContext: &corev1.PodSecurityContext{
87+
RunAsNonRoot: func(b bool) *bool { return &b }(true),
88+
RunAsUser: func(uid int64) *int64 { return &uid }(2121),
89+
},
8690
ServiceAccountName: constants.GetResourceName(constants.CSINodeServiceAccount),
8791
}
8892
}
@@ -123,12 +127,12 @@ func (s *csiNodeSyncer) ensureContainersSpec() []corev1.Container {
123127
})
124128

125129
nodePlugin.SecurityContext = &corev1.SecurityContext{
126-
Privileged: util.True(),
127-
AllowPrivilegeEscalation: util.True(),
130+
RunAsNonRoot: util.False(),
131+
Privileged: util.True(),
132+
RunAsUser: func(uid int64) *int64 { return &uid }(0),
128133
}
129134
fillSecurityContextCapabilities(
130135
nodePlugin.SecurityContext,
131-
"SYS_ADMIN",
132136
)
133137

134138
// node driver registrar sidecar
@@ -140,7 +144,9 @@ func (s *csiNodeSyncer) ensureContainersSpec() []corev1.Container {
140144
"--v=5",
141145
},
142146
)
143-
registrar.SecurityContext = &corev1.SecurityContext{AllowPrivilegeEscalation: util.False()}
147+
registrar.SecurityContext = &corev1.SecurityContext{RunAsNonRoot: util.False(),
148+
RunAsUser: func(uid int64) *int64 { return &uid }(0),
149+
Privileged: util.False()}
144150
fillSecurityContextCapabilities(registrar.SecurityContext)
145151
registrar.ImagePullPolicy = s.getCSINodeDriverRegistrarPullPolicy()
146152
registrar.Resources = getSidecarResourceRequests(s.driver, constants.CSINodeDriverRegistrar)
@@ -154,7 +160,10 @@ func (s *csiNodeSyncer) ensureContainersSpec() []corev1.Container {
154160
healthPortArg,
155161
},
156162
)
157-
livenessProbe.SecurityContext = &corev1.SecurityContext{AllowPrivilegeEscalation: util.False()}
163+
livenessProbe.SecurityContext = &corev1.SecurityContext{RunAsNonRoot: util.False(),
164+
RunAsUser: func(uid int64) *int64 { return &uid }(0),
165+
Privileged: util.False(),
166+
}
158167
fillSecurityContextCapabilities(livenessProbe.SecurityContext)
159168
livenessProbe.ImagePullPolicy = s.getCSINodeDriverRegistrarPullPolicy()
160169
livenessProbe.Resources = getSidecarResourceRequests(s.driver, constants.LivenessProbe)

0 commit comments

Comments
 (0)