diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml index c5d336af2..4e6529d45 100644 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml +++ b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml @@ -33,6 +33,11 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: driver-registrar + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + securityContext: + privileged: true image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}" imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }} args: @@ -129,6 +134,8 @@ spec: {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} {{- if .Values.nodeplugin.httpMetrics.enabled }} - name: liveness-prometheus + securityContext: + privileged: true image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} args: diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml index 21b309891..f9db16e58 100644 --- a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml +++ b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml @@ -34,6 +34,11 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: driver-registrar + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + securityContext: + privileged: true image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}" imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }} args: @@ -126,6 +131,8 @@ spec: {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} {{- if .Values.nodeplugin.httpMetrics.enabled }} - name: liveness-prometheus + securityContext: + privileged: true image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} args: diff --git a/deploy/cephfs/kubernetes/v1.13/csi-cephfsplugin.yaml b/deploy/cephfs/kubernetes/v1.13/csi-cephfsplugin.yaml index 76acff47d..b72d6c86b 100644 --- a/deploy/cephfs/kubernetes/v1.13/csi-cephfsplugin.yaml +++ b/deploy/cephfs/kubernetes/v1.13/csi-cephfsplugin.yaml @@ -19,6 +19,11 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: driver-registrar + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + securityContext: + privileged: true image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0 args: - "--v=5" @@ -102,6 +107,8 @@ spec: - name: keys-tmp-dir mountPath: /tmp/csi/keys - name: liveness-prometheus + securityContext: + privileged: true image: quay.io/cephcsi/cephcsi:canary args: - "--type=liveness" diff --git a/deploy/cephfs/kubernetes/v1.14+/csi-cephfsplugin.yaml b/deploy/cephfs/kubernetes/v1.14+/csi-cephfsplugin.yaml index 23e2c5ee7..74e685c8f 100644 --- a/deploy/cephfs/kubernetes/v1.14+/csi-cephfsplugin.yaml +++ b/deploy/cephfs/kubernetes/v1.14+/csi-cephfsplugin.yaml @@ -19,6 +19,11 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: driver-registrar + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + securityContext: + privileged: true image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0 args: - "--v=5" @@ -101,6 +106,8 @@ spec: - name: keys-tmp-dir mountPath: /tmp/csi/keys - name: liveness-prometheus + securityContext: + privileged: true image: quay.io/cephcsi/cephcsi:canary args: - "--type=liveness" diff --git a/deploy/rbd/kubernetes/v1.13/csi-rbdplugin.yaml b/deploy/rbd/kubernetes/v1.13/csi-rbdplugin.yaml index 765a462a6..792605bc7 100644 --- a/deploy/rbd/kubernetes/v1.13/csi-rbdplugin.yaml +++ b/deploy/rbd/kubernetes/v1.13/csi-rbdplugin.yaml @@ -20,6 +20,11 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: driver-registrar + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + securityContext: + privileged: true image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0 args: - "--v=5" @@ -94,6 +99,8 @@ spec: - name: keys-tmp-dir mountPath: /tmp/csi/keys - name: liveness-prometheus + securityContext: + privileged: true image: quay.io/cephcsi/cephcsi:canary args: - "--type=liveness" diff --git a/deploy/rbd/kubernetes/v1.14+/csi-rbdplugin.yaml b/deploy/rbd/kubernetes/v1.14+/csi-rbdplugin.yaml index f57630349..eee7fb07a 100644 --- a/deploy/rbd/kubernetes/v1.14+/csi-rbdplugin.yaml +++ b/deploy/rbd/kubernetes/v1.14+/csi-rbdplugin.yaml @@ -20,6 +20,11 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: driver-registrar + # This is necessary only for systems with SELinux, where + # non-privileged sidecar containers cannot access unix domain socket + # created by privileged CSI driver container. + securityContext: + privileged: true image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0 args: - "--v=5" @@ -98,6 +103,8 @@ spec: - name: keys-tmp-dir mountPath: /tmp/csi/keys - name: liveness-prometheus + securityContext: + privileged: true image: quay.io/cephcsi/cephcsi:canary args: - "--type=liveness"