Improve Security Context of Node Server Container

Signed-off-by: Ambika Nair <[email protected]>

Author: ambiknai

controllers/syncer/csi_node.go

@@ -127,14 +127,12 @@ func (s *csiNodeSyncer) ensureContainersSpec() []corev1.Container {
 	})
 
 	nodePlugin.SecurityContext = &corev1.SecurityContext{
-		RunAsNonRoot:             util.False(),
-		Privileged:               util.True(),
-		AllowPrivilegeEscalation: util.True(),
-		RunAsUser:                func(uid int64) *int64 { return &uid }(0),
+		RunAsNonRoot: util.False(),
+		Privileged:   util.True(),
+		RunAsUser: func(uid int64) *int64 { return &uid }(0),
 	}
 	fillSecurityContextCapabilities(
 		nodePlugin.SecurityContext,
-		"SYS_ADMIN",
 	)
 
 	// node driver registrar sidecar
@@ -162,7 +160,10 @@ func (s *csiNodeSyncer) ensureContainersSpec() []corev1.Container {
 			healthPortArg,
 		},
 	)
-	livenessProbe.SecurityContext = &corev1.SecurityContext{AllowPrivilegeEscalation: util.False()}
+	livenessProbe.SecurityContext = &corev1.SecurityContext{RunAsNonRoot: util.False(),
+		RunAsUser:  func(uid int64) *int64 { return &uid }(0),
+		Privileged: util.False(),
+	}
 	fillSecurityContextCapabilities(livenessProbe.SecurityContext)
 	livenessProbe.ImagePullPolicy = s.getCSINodeDriverRegistrarPullPolicy()
 	livenessProbe.Resources = getSidecarResourceRequests(s.driver, constants.LivenessProbe)