Skip to content

Commit 8872a1e

Browse files
ambiknaiambiknai
committed
Changes in sidecars for non root user pod support
Signed-off-by: Ambika Nair <[email protected]>
1 parent 4a0ef78 commit 8872a1e

File tree

2 files changed

+15
-7
lines changed

2 files changed

+15
-7
lines changed

controllers/syncer/csi_controller.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -83,10 +83,10 @@ func (s *csiControllerSyncer) ensurePodSpec() corev1.PodSpec {
8383
return corev1.PodSpec{
8484
Containers: s.ensureContainersSpec(),
8585
Volumes: s.ensureVolumes(),
86-
// SecurityContext: &corev1.PodSecurityContext{
87-
// FSGroup: &fsGroup,
88-
// RunAsUser: &fsGroup,
89-
// },
86+
SecurityContext: &corev1.PodSecurityContext{
87+
RunAsNonRoot: util.True(),
88+
RunAsUser: func(uid int64) *int64 { return &uid }(2121),
89+
},
9090
Affinity: s.driver.Spec.Controller.Affinity,
9191
Tolerations: s.driver.Spec.Controller.Tolerations,
9292
ServiceAccountName: constants.GetResourceName(constants.CSIControllerServiceAccount),

controllers/syncer/csi_node.go

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -81,8 +81,12 @@ func (s *csiNodeSyncer) SyncFn() error {
8181

8282
func (s *csiNodeSyncer) ensurePodSpec() corev1.PodSpec {
8383
return corev1.PodSpec{
84-
Containers: s.ensureContainersSpec(),
85-
Volumes: s.ensureVolumes(),
84+
Containers: s.ensureContainersSpec(),
85+
Volumes: s.ensureVolumes(),
86+
SecurityContext: &corev1.PodSecurityContext{
87+
RunAsNonRoot: func(b bool) *bool { return &b }(true),
88+
RunAsUser: func(uid int64) *int64 { return &uid }(2121),
89+
},
8690
ServiceAccountName: constants.GetResourceName(constants.CSINodeServiceAccount),
8791
}
8892
}
@@ -123,8 +127,10 @@ func (s *csiNodeSyncer) ensureContainersSpec() []corev1.Container {
123127
})
124128

125129
nodePlugin.SecurityContext = &corev1.SecurityContext{
130+
RunAsNonRoot: util.False(),
126131
Privileged: util.True(),
127132
AllowPrivilegeEscalation: util.True(),
133+
RunAsUser: func(uid int64) *int64 { return &uid }(0),
128134
}
129135
fillSecurityContextCapabilities(
130136
nodePlugin.SecurityContext,
@@ -140,7 +146,9 @@ func (s *csiNodeSyncer) ensureContainersSpec() []corev1.Container {
140146
"--v=5",
141147
},
142148
)
143-
registrar.SecurityContext = &corev1.SecurityContext{AllowPrivilegeEscalation: util.False()}
149+
registrar.SecurityContext = &corev1.SecurityContext{RunAsNonRoot: util.False(),
150+
RunAsUser: func(uid int64) *int64 { return &uid }(0),
151+
Privileged: util.False()}
144152
fillSecurityContextCapabilities(registrar.SecurityContext)
145153
registrar.ImagePullPolicy = s.getCSINodeDriverRegistrarPullPolicy()
146154
registrar.Resources = getSidecarResourceRequests(s.driver, constants.CSINodeDriverRegistrar)

0 commit comments

Comments
 (0)