Setup additional hardening for pods (#168)

jcpunk · web-flow · commit 0a591f76bbda · 2026-02-06T13:44:23.000+01:00
Signed-off-by: Pat Riehecky &lt;riehecky@fnal.gov&gt;
diff --git a/deployments/helm/cvmfs-csi/templates/controllerplugin-deployment.yaml b/deployments/helm/cvmfs-csi/templates/controllerplugin-deployment.yaml
@@ -15,6 +15,7 @@ spec:
       labels:
         {{- include "cvmfs-csi.controllerplugin.labels" .  | nindent 8 }}
     spec:
+      hostUsers: {{ .Values.controllerplugin.hostUsers }}
       {{- with .Values.controllerplugin.podSecurityContext }}
       securityContext: {{ toYaml . | nindent 8 }}
       {{- end }}
@@ -37,11 +38,16 @@ spec:
             - name: CSI_ADDRESS
               value: unix:///csi/{{ .Values.cvmfsCSIPluginSocketFile }}
           volumeMounts:
+            - name: tmp
+              mountPath: /tmp
             - name: socket-dir
               mountPath: /csi
           {{- with .Values.controllerplugin.provisioner.resources }}
           resources: {{ toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.controllerplugin.securityContext }}
+          securityContext: {{ toYaml . | nindent  12}}
+          {{- end }}
         - name: controllerplugin
           image: {{ .Values.controllerplugin.plugin.image.repository }}:{{ .Values.controllerplugin.plugin.image.tag | default .Chart.AppVersion }}
           imagePullPolicy: {{ .Values.controllerplugin.plugin.image.pullPolicy }}
@@ -58,6 +64,8 @@ spec:
             - name: CSI_DRIVERNAME
               value: {{ .Values.csiDriverName }}
           volumeMounts:
+            - name: tmp
+              mountPath: /tmp
             - name: socket-dir
               mountPath: /csi
           {{- with .Values.controllerplugin.plugin.resources }}
@@ -66,9 +74,16 @@ spec:
         {{- with .Values.controllerplugin.extraContainers }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+        {{- with .Values.controllerplugin.securityContext }}
+          securityContext: {{ toYaml . | nindent 12 }}
+          {{- end }}
       volumes:
+        - name: tmp
+          emptyDir:
+            sizeLimit: 256Mi
         - name: socket-dir
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 256Mi
       {{- with .Values.controllerplugin.affinity }}
       affinity: {{ toYaml . | nindent 8 }}
       {{- end }}
diff --git a/deployments/helm/cvmfs-csi/templates/nodeplugin-daemonset.yaml b/deployments/helm/cvmfs-csi/templates/nodeplugin-daemonset.yaml
@@ -18,6 +18,8 @@ spec:
     spec:
       # hostPID is required for autofs to work.
       hostPID: {{ .Values.nodeplugin.hostPID }}
+      # hostUsers is required for autofs to work.
+      hostUsers: {{ .Values.nodeplugin.hostUsers }}
       {{- with .Values.nodeplugin.podSecurityContext }}
       securityContext: {{ toYaml . | nindent 8 }}
       {{- end }}
@@ -44,13 +46,21 @@ spec:
             - name: KUBELET_CSI_REGISTRATION_PATH
               value: {{ .Values.kubeletDirectory }}/plugins/{{ .Values.csiDriverName }}/{{ .Values.cvmfsCSIPluginSocketFile }}
           volumeMounts:
+            - name: tmp
+              mountPath: /tmp
             - name: socket-dir
               mountPath: /csi
             - name: registration-dir
               mountPath: /registration
           {{- with .Values.nodeplugin.registrar.resources }}
           resources: {{ toYaml . | nindent 12 }}
           {{- end }}
+          securityContext:
+            privileged: false
+            capabilities:
+              drop: ["ALL"]
+            allowPrivilegeEscalation: false
+            runAsNonRoot: false
         - name: nodeplugin
           image: {{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag | default .Chart.AppVersion }}
           command: [/csi-cvmfsplugin]
@@ -67,7 +77,9 @@ spec:
             privileged: true
             capabilities:
               add: ["SYS_ADMIN"]
+              drop: ["ALL"]
             allowPrivilegeEscalation: true
+            runAsNonRoot: false
           env:
             - name: NODE_ID
               valueFrom:
@@ -78,6 +90,8 @@ spec:
             - name: CSI_DRIVERNAME
               value: {{ .Values.csiDriverName }}
           volumeMounts:
+            - name: tmp
+              mountPath: /tmp
             - name: plugins-dir
               mountPath: {{ .Values.kubeletDirectory }}/plugins
               mountPropagation: Bidirectional
@@ -114,8 +128,12 @@ spec:
             privileged: true
             capabilities:
               add: ["SYS_ADMIN"]
+              drop: ["ALL"]
             allowPrivilegeEscalation: true
+            runAsNonRoot: false
           volumeMounts:
+            - name: tmp
+              mountPath: /tmp
             - mountPath: /sys
               name: host-sys
             - name: lib-modules
@@ -149,8 +167,12 @@ spec:
             privileged: true
             capabilities:
               add: ["SYS_ADMIN"]
+              drop: ["ALL"]
             allowPrivilegeEscalation: true
+            runAsNonRoot: false
           volumeMounts:
+            - name: tmp
+              mountPath: /tmp
             - name: autofs-root
               mountPath: /cvmfs
               mountPropagation: Bidirectional
@@ -173,8 +195,12 @@ spec:
             privileged: true
             capabilities:
               add: ["SYS_ADMIN"]
+              drop: ["ALL"]
             allowPrivilegeEscalation: true
+            runAsNonRoot: false
           volumeMounts:
+            - name: tmp
+              mountPath: /tmp
             - name: plugins-dir
               mountPath: {{ .Values.kubeletDirectory }}/plugins
               mountPropagation: Bidirectional
@@ -204,7 +230,14 @@ spec:
           command: ["/usr/sbin/crond", "-n", "-s", "-m", "off", "-x", "load,proc,sch"]
           securityContext:
             privileged: true
+            capabilities:
+              add: ["SYS_ADMIN"]
+              drop: ["ALL"]
+            allowPrivilegeEscalation: true
+            runAsNonRoot: false
           volumeMounts:
+            - name: tmp
+              mountPath: /tmp
             - name: autofs-root
               mountPath: /cvmfs
               mountPropagation: Bidirectional
@@ -222,6 +255,9 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       volumes:
+        - name: tmp
+          emptyDir:
+            sizeLimit: 265Mi
         - name: socket-dir
           hostPath:
             path: {{ .Values.kubeletDirectory }}/plugins/{{ .Values.csiDriverName }}
@@ -247,7 +283,8 @@ spec:
           hostPath:
             path: /dev
         - name: runtime-metadata
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 1Gi
         - name: autofs-root
           hostPath:
             path: {{ .Values.automountHostPath }}
diff --git a/deployments/helm/cvmfs-csi/values.yaml b/deployments/helm/cvmfs-csi/values.yaml
@@ -205,6 +205,9 @@ nodeplugin:
   # more details).
   hostPID: true
 
+  # hostUsers must be enabled for automounts to work.
+  hostUsers: true
+
   # (deprecated) ServiceAccount to use with Node plugin DaemonSet.
   # New CVMFS CSI deployments do not need this. It is only necessary
   # when upgrading from v1 of the driver.
@@ -289,11 +292,26 @@ controllerplugin:
   deploymentStrategySpec:
     type: RollingUpdate
 
+  # Control use of user namespaces for controllerplugin deployment.
+  hostUsers: true
+
   # Pod-level security context for controllerplugin deployment.
   podSecurityContext:
     seccompProfile:
       type: RuntimeDefault
 
+  # Container-level security context for controllerplugin deployment.
+  securityContext:
+    readOnlyRootFilesystem: true
+    runAsUser: 12357
+    runAsGroup: 12357
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    privileged: false
+    capabilities:
+      drop:
+        - ALL
+
   # Pod priority class name.
   priorityClassName: ""
 
