kubernetes-csi/csi-driver-nfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #422 from farodin91/securityContext

Browse Source 
feat: add readOnlyRootFilesystem if possible
This commit is contained in:
Kubernetes Prow Robot 2023-03-17 19:15:15 -07:00 committed by GitHub
commit 2999e7e3fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
charts/latest/csi-driver-nfs-v0.0.0.tgz
View File

Binary file not shown.

9
charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
View File

@ -61,6 +61,8 @@ spec:
- mountPath: /csi - mountPath: /csi
name: socket-dir name: socket-dir
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
- name: liveness-probe - name: liveness-probe
image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
args: args:
@ -73,6 +75,8 @@ spec:
- name: socket-dir - name: socket-dir
mountPath: /csi mountPath: /csi
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
- name: nfs - name: nfs
image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}" image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
securityContext: securityContext:
@ -80,6 +84,7 @@ spec:
capabilities: capabilities:
add: ["SYS_ADMIN"] add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
readOnlyRootFilesystem: true
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }} imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
args: args:
- "--v={{ .Values.controller.logLevel }}" - "--v={{ .Values.controller.logLevel }}"
@ -113,6 +118,8 @@ spec:
mountPropagation: "Bidirectional" mountPropagation: "Bidirectional"
- mountPath: /csi - mountPath: /csi
name: socket-dir name: socket-dir
- mountPath: {{ .Values.controller.workingMountDir }}
name: tmp-dir
resources: {{- toYaml .Values.controller.resources.nfs | nindent 12 }} resources: {{- toYaml .Values.controller.resources.nfs | nindent 12 }}
volumes: volumes:
- name: pods-mount-dir - name: pods-mount-dir
@ -121,3 +128,5 @@ spec:
type: Directory type: Directory
- name: socket-dir - name: socket-dir
emptyDir: {} emptyDir: {}
- name: tmp-dir
emptyDir: {}

3
charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
View File

@ -51,6 +51,8 @@ spec:
- name: socket-dir - name: socket-dir
mountPath: /csi mountPath: /csi
resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }} resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
- name: node-driver-registrar - name: node-driver-registrar
image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
livenessProbe: livenessProbe:
@ -85,6 +87,7 @@ spec:
capabilities: capabilities:
add: ["SYS_ADMIN"] add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
readOnlyRootFilesystem: true
image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}" image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
args : args :
- "--v={{ .Values.node.logLevel }}" - "--v={{ .Values.node.logLevel }}"