Skip to content

Commit 8dc8792

Browse files
mwennrichmwennrich
authored
add security contexts for csi-driver containers and pods (#96)
1 parent 3a28d5e commit 8dc8792

File tree

1 file changed

+47
-0
lines changed

1 file changed

+47
-0
lines changed

controllers/resources.go

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -470,6 +470,12 @@ var (
470470
{Name: etcDirVolume.Name, MountPath: "/etc/lb-csi/"},
471471
},
472472
Resources: defaultResourceLimits,
473+
SecurityContext: &corev1.SecurityContext{
474+
AllowPrivilegeEscalation: pointer.Bool(false),
475+
Capabilities: &corev1.Capabilities{
476+
Drop: []corev1.Capability{"ALL"},
477+
},
478+
},
473479
}
474480
csiProvisionerContainer = corev1.Container{
475481
Name: "csi-provisioner",
@@ -483,6 +489,12 @@ var (
483489
{Name: socketDirVolume.Name, MountPath: "/var/lib/csi/sockets/pluginproxy/"},
484490
},
485491
Resources: defaultResourceLimits,
492+
SecurityContext: &corev1.SecurityContext{
493+
AllowPrivilegeEscalation: pointer.Bool(false),
494+
Capabilities: &corev1.Capabilities{
495+
Drop: []corev1.Capability{"ALL"},
496+
},
497+
},
486498
}
487499
csiAttacherContainer = corev1.Container{
488500
Name: "csi-attacher",
@@ -496,6 +508,12 @@ var (
496508
{Name: socketDirVolume.Name, MountPath: "/var/lib/csi/sockets/pluginproxy/"},
497509
},
498510
Resources: defaultResourceLimits,
511+
SecurityContext: &corev1.SecurityContext{
512+
AllowPrivilegeEscalation: pointer.Bool(false),
513+
Capabilities: &corev1.Capabilities{
514+
Drop: []corev1.Capability{"ALL"},
515+
},
516+
},
499517
}
500518
csiResizerContainer = corev1.Container{
501519
Name: "csi-resizer",
@@ -509,13 +527,25 @@ var (
509527
{Name: socketDirVolume.Name, MountPath: "/var/lib/csi/sockets/pluginproxy/"},
510528
},
511529
Resources: defaultResourceLimits,
530+
SecurityContext: &corev1.SecurityContext{
531+
AllowPrivilegeEscalation: pointer.Bool(false),
532+
Capabilities: &corev1.Capabilities{
533+
Drop: []corev1.Capability{"ALL"},
534+
},
535+
},
512536
}
513537
snapshotControllerContainer = corev1.Container{
514538
Name: "snapshot-controller",
515539
Image: snapshotControllerImage,
516540
ImagePullPolicy: corev1.PullIfNotPresent,
517541
Args: []string{"--leader-election=false", "--v=5"},
518542
Resources: defaultResourceLimits,
543+
SecurityContext: &corev1.SecurityContext{
544+
AllowPrivilegeEscalation: pointer.Bool(false),
545+
Capabilities: &corev1.Capabilities{
546+
Drop: []corev1.Capability{"ALL"},
547+
},
548+
},
519549
}
520550
csiSnapshotterContainer = corev1.Container{
521551
Name: "csi-snapshotter",
@@ -529,6 +559,12 @@ var (
529559
{Name: socketDirVolume.Name, MountPath: "/var/lib/csi/sockets/pluginproxy/"},
530560
},
531561
Resources: defaultResourceLimits,
562+
SecurityContext: &corev1.SecurityContext{
563+
AllowPrivilegeEscalation: pointer.Bool(false),
564+
Capabilities: &corev1.Capabilities{
565+
Drop: []corev1.Capability{"ALL"},
566+
},
567+
},
532568
}
533569
discoveryClientContainer = corev1.Container{
534570
Name: "lb-nvme-discovery-client",
@@ -612,6 +648,12 @@ var (
612648
{Name: registrationDirVolume.Name, MountPath: "/registration/"},
613649
},
614650
Resources: defaultResourceLimits,
651+
SecurityContext: &corev1.SecurityContext{
652+
AllowPrivilegeEscalation: pointer.Bool(false),
653+
Capabilities: &corev1.Capabilities{
654+
Drop: []corev1.Capability{"ALL"},
655+
},
656+
},
615657
}
616658

617659
// Volumes
@@ -950,6 +992,11 @@ func (r *DurosReconciler) deployCSI(ctx context.Context, projectID string, scs [
950992
Containers: containers,
951993
ServiceAccountName: ctrlServiceAccount().Name,
952994
PriorityClassName: "system-cluster-critical",
995+
SecurityContext: &corev1.PodSecurityContext{
996+
FSGroup: pointer.Int64(65534),
997+
RunAsUser: pointer.Int64(65534),
998+
RunAsNonRoot: pointer.Bool(true),
999+
},
9531000
Volumes: []corev1.Volume{
9541001
socketDirVolume,
9551002
etcDirVolume,

0 commit comments

Comments
 (0)