From f4d05a3ef9aa15d4fdb5a39407042804a4797aad Mon Sep 17 00:00:00 2001
From: Madhu Rajanna <madhupr007@gmail.com>
Date: Mon, 13 Jan 2020 09:44:18 +0530
Subject: [PATCH] CSI: run all containers as privileged in daemonset pods

On systems with SELinux enabled, non-privileged containers
can't access data of privileged containers. Since the socket
is exposed by privileged containers, all sidecars must be
privileged too. This is needed only for containers running
in daemonset as we are using bidirectional mounts in daemonset

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit e0cc7740f6db86ba9a5f37e850ec9cd0f614315c)
---
 charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml | 7 +++++++
 charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml    | 7 +++++++
 deploy/cephfs/kubernetes/v1.13/csi-cephfsplugin.yaml       | 7 +++++++
 deploy/cephfs/kubernetes/v1.14+/csi-cephfsplugin.yaml      | 7 +++++++
 deploy/rbd/kubernetes/v1.13/csi-rbdplugin.yaml             | 7 +++++++
 deploy/rbd/kubernetes/v1.14+/csi-rbdplugin.yaml            | 7 +++++++
 6 files changed, 42 insertions(+)

diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml
index 469d43a2a..6a06c7e72 100644
--- a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml
+++ b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml
@@ -31,6 +31,11 @@ spec:
       dnsPolicy: ClusterFirstWithHostNet
       containers:
         - name: driver-registrar
+          # This is necessary only for systems with SELinux, where
+          # non-privileged sidecar containers cannot access unix domain socket
+          # created by privileged CSI driver container.
+          securityContext:
+            privileged: true
           image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}"
           imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }}
           args:
@@ -127,6 +132,8 @@ spec:
 {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
 {{- if .Values.nodeplugin.httpMetrics.enabled }}
         - name: liveness-prometheus
+          securityContext:
+            privileged: true
           image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}"
           imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }}
           args:
diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml
index 40086af7d..f1d250c0c 100644
--- a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml
+++ b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml
@@ -34,6 +34,11 @@ spec:
       dnsPolicy: ClusterFirstWithHostNet
       containers:
         - name: driver-registrar
+          # This is necessary only for systems with SELinux, where
+          # non-privileged sidecar containers cannot access unix domain socket
+          # created by privileged CSI driver container.
+          securityContext:
+            privileged: true
           image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}"
           imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }}
           args:
@@ -126,6 +131,8 @@ spec:
 {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
 {{- if .Values.nodeplugin.httpMetrics.enabled }}
         - name: liveness-prometheus
+          securityContext:
+            privileged: true
           image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}"
           imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }}
           args:
diff --git a/deploy/cephfs/kubernetes/v1.13/csi-cephfsplugin.yaml b/deploy/cephfs/kubernetes/v1.13/csi-cephfsplugin.yaml
index e8a9d5cef..7c361da16 100644
--- a/deploy/cephfs/kubernetes/v1.13/csi-cephfsplugin.yaml
+++ b/deploy/cephfs/kubernetes/v1.13/csi-cephfsplugin.yaml
@@ -20,6 +20,11 @@ spec:
       containers:
         - name: driver-registrar
           image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0
+          # This is necessary only for systems with SELinux, where
+          # non-privileged sidecar containers cannot access unix domain socket
+          # created by privileged CSI driver container.
+          securityContext:
+            privileged: true
           args:
             - "--v=5"
             - "--csi-address=/csi/csi.sock"
@@ -103,6 +108,8 @@ spec:
               mountPath: /tmp/csi/keys
         - name: liveness-prometheus
           image: quay.io/cephcsi/cephcsi:v1.2.2
+          securityContext:
+            privileged: true
           args:
             - "--type=liveness"
             - "--endpoint=$(CSI_ENDPOINT)"
diff --git a/deploy/cephfs/kubernetes/v1.14+/csi-cephfsplugin.yaml b/deploy/cephfs/kubernetes/v1.14+/csi-cephfsplugin.yaml
index 05c7a58d7..99712884a 100644
--- a/deploy/cephfs/kubernetes/v1.14+/csi-cephfsplugin.yaml
+++ b/deploy/cephfs/kubernetes/v1.14+/csi-cephfsplugin.yaml
@@ -20,6 +20,11 @@ spec:
       containers:
         - name: driver-registrar
           image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0
+          # This is necessary only for systems with SELinux, where
+          # non-privileged sidecar containers cannot access unix domain socket
+          # created by privileged CSI driver container.
+          securityContext:
+            privileged: true
           args:
             - "--v=5"
             - "--csi-address=/csi/csi.sock"
@@ -102,6 +107,8 @@ spec:
               mountPath: /tmp/csi/keys
         - name: liveness-prometheus
           image: quay.io/cephcsi/cephcsi:v1.2.2
+          securityContext:
+            privileged: true
           args:
             - "--type=liveness"
             - "--endpoint=$(CSI_ENDPOINT)"
diff --git a/deploy/rbd/kubernetes/v1.13/csi-rbdplugin.yaml b/deploy/rbd/kubernetes/v1.13/csi-rbdplugin.yaml
index e28612b4a..88202f50a 100644
--- a/deploy/rbd/kubernetes/v1.13/csi-rbdplugin.yaml
+++ b/deploy/rbd/kubernetes/v1.13/csi-rbdplugin.yaml
@@ -23,6 +23,11 @@ spec:
       containers:
         - name: driver-registrar
           image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0
+          # This is necessary only for systems with SELinux, where
+          # non-privileged sidecar containers cannot access unix domain socket
+          # created by privileged CSI driver container.
+          securityContext:
+            privileged: true
           args:
             - "--v=5"
             - "--csi-address=/csi/csi.sock"
@@ -97,6 +102,8 @@ spec:
               mountPath: /tmp/csi/keys
         - name: liveness-prometheus
           image: quay.io/cephcsi/cephcsi:v1.2.2
+          securityContext:
+            privileged: true
           args:
             - "--type=liveness"
             - "--endpoint=$(CSI_ENDPOINT)"
diff --git a/deploy/rbd/kubernetes/v1.14+/csi-rbdplugin.yaml b/deploy/rbd/kubernetes/v1.14+/csi-rbdplugin.yaml
index 03b7770b6..e8b6eb07b 100644
--- a/deploy/rbd/kubernetes/v1.14+/csi-rbdplugin.yaml
+++ b/deploy/rbd/kubernetes/v1.14+/csi-rbdplugin.yaml
@@ -23,6 +23,11 @@ spec:
       containers:
         - name: driver-registrar
           image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0
+          # This is necessary only for systems with SELinux, where
+          # non-privileged sidecar containers cannot access unix domain socket
+          # created by privileged CSI driver container.
+          securityContext:
+            privileged: true
           args:
             - "--v=5"
             - "--csi-address=/csi/csi.sock"
@@ -101,6 +106,8 @@ spec:
               mountPath: /tmp/csi/keys
         - name: liveness-prometheus
           image: quay.io/cephcsi/cephcsi:v1.2.2
+          securityContext:
+            privileged: true
           args:
             - "--type=liveness"
             - "--endpoint=$(CSI_ENDPOINT)"