helm: allowPrivilegeEscalation: true in containerSecurityContext

When running the kubernetes cluster with one single privileged
PodSecurityPolicy which is allowing everything the nodeplugin
daemonset can fail to start. To be precise the problem is the
defaultAllowPrivilegeEscalation: false configuration in the PSP.
 Containers of the nodeplugin daemonset won't start when they
have privileged: true but no allowPrivilegeEscalation in their
container securityContext.

Kubernetes will not schedule if this mismatch exists cannot set
allowPrivilegeEscalation to false and privileged to true

Signed-off-by: Silvan Loser <silvan.loser@hotmail.ch>
Signed-off-by: Silvan Loser <33911078+losil@users.noreply.github.com>
(cherry picked from commit 06c4477ff9)
This commit is contained in:
Silvan Loser 2022-04-06 07:16:28 +02:00 committed by mergify[bot]
parent 41728c2465
commit 059969b10b
2 changed files with 4 additions and 0 deletions

View File

@ -42,6 +42,7 @@ spec:
# created by privileged CSI driver container. # created by privileged CSI driver container.
securityContext: securityContext:
privileged: true privileged: true
allowPrivilegeEscalation: true
image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}" image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}"
imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }} imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }}
args: args:
@ -135,6 +136,7 @@ spec:
- name: liveness-prometheus - name: liveness-prometheus
securityContext: securityContext:
privileged: true privileged: true
allowPrivilegeEscalation: true
image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}"
imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }}
args: args:

View File

@ -42,6 +42,7 @@ spec:
# created by privileged CSI driver container. # created by privileged CSI driver container.
securityContext: securityContext:
privileged: true privileged: true
allowPrivilegeEscalation: true
image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}" image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}"
imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }} imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }}
args: args:
@ -142,6 +143,7 @@ spec:
- name: liveness-prometheus - name: liveness-prometheus
securityContext: securityContext:
privileged: true privileged: true
allowPrivilegeEscalation: true
image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}"
imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }}
args: args: