diff --git a/charts/README.md b/charts/README.md index 86f574ca9b9..492e7b2ce05 100644 --- a/charts/README.md +++ b/charts/README.md @@ -70,7 +70,7 @@ The following table lists the configurable parameters of the latest SMB CSI Driv | `podAnnotations` | collection of annotations to add to all the pods | `{}` | | `podLabels` | collection of labels to add to all the pods | `{}` | | `priorityClassName` | priority class name to be added to pods | `system-cluster-critical` | -| `securityContext` | security context to be added to pods | `{}` | +| `securityContext` | security context to be added to pods | `{ seccompProfile: {type: RuntimeDefault} }` | | `controller.name` | name of driver deployment | `csi-smb-controller` | | `controller.replicas` | replica num of csi-smb-controller | `1` | | `controller.dnsPolicy` | dnsPolicy of driver node daemonset, available values: `Default`, `ClusterFirstWithHostNet`, `ClusterFirst` | | diff --git a/charts/latest/csi-driver-smb-v0.0.0.tgz b/charts/latest/csi-driver-smb-v0.0.0.tgz index 3fceeb6261c..aec9f1411fa 100644 Binary files a/charts/latest/csi-driver-smb-v0.0.0.tgz and b/charts/latest/csi-driver-smb-v0.0.0.tgz differ diff --git a/charts/latest/csi-driver-smb/templates/csi-smb-controller.yaml b/charts/latest/csi-driver-smb/templates/csi-smb-controller.yaml index e563c0a1d3b..00d1d96c481 100755 --- a/charts/latest/csi-driver-smb/templates/csi-smb-controller.yaml +++ b/charts/latest/csi-driver-smb/templates/csi-smb-controller.yaml @@ -39,7 +39,10 @@ spec: {{- if .Values.controller.runOnControlPlane}} node-role.kubernetes.io/control-plane: "" {{- end}} - priorityClassName: system-cluster-critical + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 8 }} + {{- end }} {{- with .Values.controller.tolerations }} tolerations: {{ toYaml . | indent 8 }} @@ -131,6 +134,3 @@ spec: emptyDir: {} - name: tmp-dir emptyDir: {} - {{- if .Values.securityContext }} - securityContext: {{- toYaml .Values.securityContext | nindent 8 }} - {{- end }} diff --git a/charts/latest/csi-driver-smb/templates/csi-smb-node-windows.yaml b/charts/latest/csi-driver-smb/templates/csi-smb-node-windows.yaml index d2dafacce19..b033b151c97 100755 --- a/charts/latest/csi-driver-smb/templates/csi-smb-node-windows.yaml +++ b/charts/latest/csi-driver-smb/templates/csi-smb-node-windows.yaml @@ -31,7 +31,10 @@ spec: affinity: {{ toYaml . | indent 8 }} {{- end }} - priorityClassName: system-node-critical + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 8 }} + {{- end }} serviceAccountName: {{ .Values.serviceAccount.node }} {{- include "smb.pullSecrets" . | indent 6 }} containers: diff --git a/charts/latest/csi-driver-smb/templates/csi-smb-node.yaml b/charts/latest/csi-driver-smb/templates/csi-smb-node.yaml index 3fc4eebf530..13e8ef72797 100755 --- a/charts/latest/csi-driver-smb/templates/csi-smb-node.yaml +++ b/charts/latest/csi-driver-smb/templates/csi-smb-node.yaml @@ -38,6 +38,9 @@ spec: {{ toYaml . | indent 8 }} {{- end }} priorityClassName: {{ .Values.priorityClassName | quote }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 8 }} + {{- end }} {{- with .Values.linux.tolerations }} tolerations: {{ toYaml . | indent 8 }} @@ -148,7 +151,4 @@ spec: path: {{ .Values.linux.kubelet }}/plugins_registry/ type: DirectoryOrCreate name: registration-dir - {{- if .Values.securityContext }} - securityContext: {{- toYaml .Values.securityContext | nindent 8 }} - {{- end }} {{- end -}} diff --git a/charts/latest/csi-driver-smb/values.yaml b/charts/latest/csi-driver-smb/values.yaml index 2d9d6c978d7..a28fd97545a 100755 --- a/charts/latest/csi-driver-smb/values.yaml +++ b/charts/latest/csi-driver-smb/values.yaml @@ -150,4 +150,4 @@ priorityClassName: system-cluster-critical ## Security context give the opportunity to run container as nonroot by setting a securityContext ## by example : ## securityContext: { runAsUser: 1001 } -securityContext: {} +securityContext: { seccompProfile: {type: RuntimeDefault} } diff --git a/deploy/csi-smb-controller.yaml b/deploy/csi-smb-controller.yaml index 1b9008beda9..d8bc2a1ed4d 100644 --- a/deploy/csi-smb-controller.yaml +++ b/deploy/csi-smb-controller.yaml @@ -19,6 +19,9 @@ spec: nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault tolerations: - key: "node-role.kubernetes.io/master" operator: "Exists" diff --git a/deploy/csi-smb-node-windows.yaml b/deploy/csi-smb-node-windows.yaml index cf486448176..71c34d91db5 100644 --- a/deploy/csi-smb-node-windows.yaml +++ b/deploy/csi-smb-node-windows.yaml @@ -24,6 +24,9 @@ spec: nodeSelector: kubernetes.io/os: windows priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: csi-smb-node-sa containers: - name: liveness-probe diff --git a/deploy/csi-smb-node.yaml b/deploy/csi-smb-node.yaml index e5a1cd0108b..055a2c340b8 100644 --- a/deploy/csi-smb-node.yaml +++ b/deploy/csi-smb-node.yaml @@ -23,6 +23,9 @@ spec: nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault tolerations: - operator: "Exists" containers: