feat: enable securityContext.seccompProfile, set system-cluster-critical

2023-04-08 13:09:42 +00:00 · 2023-04-08 13:09:42 +00:00 · 847601bb28
commit 847601bb28
parent 3f5c5660c4
7 changed files with 22 additions and 0 deletions
--- a/charts/latest/csi-driver-nfs-v0.0.0.tgz
+++ b/charts/latest/csi-driver-nfs-v0.0.0.tgz
--- a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
+++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
@ -40,6 +40,9 @@ spec:
 {{ toYaml . | indent 8 }}
 {{- end }}
      priorityClassName: system-cluster-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
 {{- with .Values.controller.tolerations }}
      tolerations:
 {{ toYaml . | indent 8 }}
--- a/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
+++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
@ -25,6 +25,10 @@ spec:
      hostNetwork: true # original nfs connection would be broken without hostNetwork setting
      dnsPolicy: {{ .Values.controller.dnsPolicy }}
      serviceAccountName: csi-nfs-node-sa
+      priorityClassName: system-node-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
 {{- with .Values.node.affinity }}
      affinity:
 {{ toYaml . | indent 8 }}
--- a/charts/latest/csi-driver-nfs/templates/csi-snapshot-controller.yaml
+++ b/charts/latest/csi-driver-nfs/templates/csi-snapshot-controller.yaml
@ -40,6 +40,10 @@ spec:
        app: {{ .Values.externalSnapshotter.name }}
    spec:
      serviceAccountName: {{ .Values.externalSnapshotter.name }}
+      priorityClassName: system-cluster-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      containers:
        - name: {{ .Values.externalSnapshotter.name }}
          image: {{ .Values.image.externalSnapshotter.repository }}:{{ .Values.image.externalSnapshotter.tag }}
--- a/deploy/csi-nfs-controller.yaml
+++ b/deploy/csi-nfs-controller.yaml
@ -20,6 +20,9 @@ spec:
      nodeSelector:
        kubernetes.io/os: linux  # add "kubernetes.io/role: master" to run controller on master node
      priorityClassName: system-cluster-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      tolerations:
        - key: "node-role.kubernetes.io/master"
          operator: "Exists"
--- a/deploy/csi-nfs-node.yaml
+++ b/deploy/csi-nfs-node.yaml
@ -20,6 +20,10 @@ spec:
      hostNetwork: true  # original nfs connection would be broken without hostNetwork setting
      dnsPolicy: Default  # available values: Default, ClusterFirstWithHostNet, ClusterFirst
      serviceAccountName: csi-nfs-node-sa
+      priorityClassName: system-node-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      nodeSelector:
        kubernetes.io/os: linux
      tolerations:
--- a/deploy/csi-snapshot-controller.yaml
+++ b/deploy/csi-snapshot-controller.yaml
@ -31,6 +31,10 @@ spec:
        app: snapshot-controller
    spec:
      serviceAccountName: snapshot-controller
+      priorityClassName: system-cluster-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      containers:
        - name: snapshot-controller
          image: registry.k8s.io/sig-storage/snapshot-controller:v6.1.0