Merge pull request #422 from farodin91/securityContext

feat: add readOnlyRootFilesystem if possible
2023-03-17 19:15:15 -07:00 · 2023-03-17 19:15:15 -07:00 · 2999e7e3fb
commit 2999e7e3fb
parent cd50d48b7f 18432fa13f
3 changed files with 12 additions and 0 deletions
--- a/charts/latest/csi-driver-nfs-v0.0.0.tgz
+++ b/charts/latest/csi-driver-nfs-v0.0.0.tgz
--- a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
+++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
@ -61,6 +61,8 @@ spec:
            - mountPath: /csi
              name: socket-dir
          resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
+          securityContext:
+            readOnlyRootFilesystem: true
        - name: liveness-probe
          image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
          args:
@ -73,6 +75,8 @@ spec:
            - name: socket-dir
              mountPath: /csi
          resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
+          securityContext:
+            readOnlyRootFilesystem: true
        - name: nfs
          image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
          securityContext:
@ -80,6 +84,7 @@ spec:
            capabilities:
              add: ["SYS_ADMIN"]
            allowPrivilegeEscalation: true
+            readOnlyRootFilesystem: true
          imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
          args:
            - "--v={{ .Values.controller.logLevel }}"
@ -113,6 +118,8 @@ spec:
              mountPropagation: "Bidirectional"
            - mountPath: /csi
              name: socket-dir
+            - mountPath: {{ .Values.controller.workingMountDir }}
+              name: tmp-dir
          resources: {{- toYaml .Values.controller.resources.nfs | nindent 12 }}
      volumes:
        - name: pods-mount-dir
@ -121,3 +128,5 @@ spec:
            type: Directory
        - name: socket-dir
          emptyDir: {}
+        - name: tmp-dir
+          emptyDir: {}
--- a/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
+++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
@ -51,6 +51,8 @@ spec:
            - name: socket-dir
              mountPath: /csi
          resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
+          securityContext:
+            readOnlyRootFilesystem: true
        - name: node-driver-registrar
          image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
          livenessProbe:
@ -85,6 +87,7 @@ spec:
            capabilities:
              add: ["SYS_ADMIN"]
            allowPrivilegeEscalation: true
+            readOnlyRootFilesystem: true
          image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
          args :
            - "--v={{ .Values.node.logLevel }}"