mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-27 08:40:23 +00:00
deploy: allowPrivilegeEscalation: true in containerSecurityContext
When running the kubernetes cluster with one single privileged
PodSecurityPolicy which is allowing everything the nodeplugin
daemonset can fail to start. To be precise the problem is the
defaultAllowPrivilegeEscalation: false configuration in the PSP.
Containers of the nodeplugin daemonset won't start when they
have privileged: true but no allowPrivilegeEscalation in their
container securityContext.
Kubernetes will not schedule if this mismatch exists cannot set
allowPrivilegeEscalation to false and privileged to true:
Signed-off-by: Silvan Loser <silvan.loser@hotmail.ch>
Signed-off-by: Silvan Loser <33911078+losil@users.noreply.github.com>
(cherry picked from commit f2e0fa28fb
)
This commit is contained in:
parent
059969b10b
commit
b50d8596ea
@ -26,6 +26,7 @@ spec:
|
|||||||
# created by privileged CSI driver container.
|
# created by privileged CSI driver container.
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.4.0
|
image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.4.0
|
||||||
args:
|
args:
|
||||||
- "--v=5"
|
- "--v=5"
|
||||||
@ -106,6 +107,7 @@ spec:
|
|||||||
- name: liveness-prometheus
|
- name: liveness-prometheus
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
image: quay.io/cephcsi/cephcsi:v3.6-canary
|
image: quay.io/cephcsi/cephcsi:v3.6-canary
|
||||||
args:
|
args:
|
||||||
- "--type=liveness"
|
- "--type=liveness"
|
||||||
|
@ -28,6 +28,7 @@ spec:
|
|||||||
# created by privileged CSI driver container.
|
# created by privileged CSI driver container.
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.4.0
|
image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.4.0
|
||||||
args:
|
args:
|
||||||
- "--v=5"
|
- "--v=5"
|
||||||
@ -124,6 +125,7 @@ spec:
|
|||||||
- name: liveness-prometheus
|
- name: liveness-prometheus
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
image: quay.io/cephcsi/cephcsi:v3.6-canary
|
image: quay.io/cephcsi/cephcsi:v3.6-canary
|
||||||
args:
|
args:
|
||||||
- "--type=liveness"
|
- "--type=liveness"
|
||||||
|
Loading…
Reference in New Issue
Block a user