mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-05-24 08:16:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

helm: allowPrivilegeEscalation: true in containerSecurityContext

Browse Source 
When running the kubernetes cluster with one single privileged
PodSecurityPolicy which is allowing everything the nodeplugin
daemonset can fail to start. To be precise the problem is the
defaultAllowPrivilegeEscalation: false configuration in the PSP.
 Containers of the nodeplugin daemonset won't start when they
have privileged: true but no allowPrivilegeEscalation in their
container securityContext.

Kubernetes will not schedule if this mismatch exists cannot set
allowPrivilegeEscalation to false and privileged to true

Signed-off-by: Silvan Loser <silvan.loser@hotmail.ch>
Signed-off-by: Silvan Loser <33911078+losil@users.noreply.github.com>
(cherry picked from commit 06c4477ff9fce02c49439d800f36cce82319f805)
This commit is contained in:
Silvan Loser 2022-04-06 07:16:28 +02:00 committed by mergify[bot]
parent 41728c2465
commit 059969b10b
2 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml
View File

@ -42,6 +42,7 @@ spec:
# created by privileged CSI driver container.
securityContext:
privileged: true
allowPrivilegeEscalation: true
image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}"
imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }}
args:
@ -135,6 +136,7 @@ spec:
- name: liveness-prometheus
securityContext:
privileged: true
allowPrivilegeEscalation: true
image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}"
imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }}
args:

2
charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml
View File

@ -42,6 +42,7 @@ spec:
# created by privileged CSI driver container.
securityContext:
privileged: true
allowPrivilegeEscalation: true
image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}"
imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }}
args:
@ -142,6 +143,7 @@ spec:
- name: liveness-prometheus
securityContext:
privileged: true
allowPrivilegeEscalation: true
image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}"
imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }}
args: