feat: enable securityContext.seccompProfile

kubernetes-csi · Apr 8, 2023 · 7debaf0 · 7debaf0
1 parent 266be22
commit 7debaf0
Show file tree

Hide file tree

Showing 9 changed files with 22 additions and 10 deletions.
diff --git a/charts/README.md b/charts/README.md
@@ -70,7 +70,7 @@ The following table lists the configurable parameters of the latest SMB CSI Driv
 | `podAnnotations`                                        | collection of annotations to add to all the pods                                                           | `{}`                                                    |
 | `podLabels`                                             | collection of labels to add to all the pods                                                                | `{}`                                                    |
 | `priorityClassName`                                     | priority class name to be added to pods                                                                    | `system-cluster-critical`                               |
-| `securityContext`                                       | security context to be added to pods                                                                       | `{}`                                                    |
+| `securityContext`                                       | security context to be added to pods                                                                       | `{ seccompProfile: {type: RuntimeDefault} }`                                                    |
 | `controller.name`                                       | name of driver deployment                                                                                  | `csi-smb-controller`                                    |
 | `controller.replicas`                                   | replica num of csi-smb-controller                                                                          | `1`                                                     |
 | `controller.dnsPolicy`                                  | dnsPolicy of driver node daemonset, available values: `Default`, `ClusterFirstWithHostNet`, `ClusterFirst` |                                                         |

diff --git a/charts/latest/csi-driver-smb-v0.0.0.tgz b/charts/latest/csi-driver-smb-v0.0.0.tgz
diff --git a/charts/latest/csi-driver-smb/templates/csi-smb-controller.yaml b/charts/latest/csi-driver-smb/templates/csi-smb-controller.yaml
@@ -39,7 +39,10 @@ spec:
         {{- if .Values.controller.runOnControlPlane}}
         node-role.kubernetes.io/control-plane: ""
         {{- end}}
-      priorityClassName: system-cluster-critical
+      priorityClassName: {{ .Values.priorityClassName | quote }}
+      {{- if .Values.securityContext }}
+      securityContext: {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- end }}
 {{- with .Values.controller.tolerations }}
       tolerations:
 {{ toYaml . | indent 8 }}
@@ -131,6 +134,3 @@ spec:
           emptyDir: {}
         - name: tmp-dir
           emptyDir: {}
-      {{- if .Values.securityContext }}
-      securityContext: {{- toYaml .Values.securityContext | nindent 8 }}
-      {{- end }}
diff --git a/charts/latest/csi-driver-smb/templates/csi-smb-node-windows.yaml b/charts/latest/csi-driver-smb/templates/csi-smb-node-windows.yaml
@@ -31,7 +31,10 @@ spec:
       affinity:
 {{ toYaml . | indent 8 }}
 {{- end }}
-      priorityClassName: system-node-critical
+      priorityClassName: {{ .Values.priorityClassName | quote }}
+      {{- if .Values.securityContext }}
+      securityContext: {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ .Values.serviceAccount.node }}
       {{- include "smb.pullSecrets" . | indent 6 }}
       containers:

diff --git a/charts/latest/csi-driver-smb/templates/csi-smb-node.yaml b/charts/latest/csi-driver-smb/templates/csi-smb-node.yaml
@@ -38,6 +38,9 @@ spec:
 {{ toYaml . | indent 8 }}
 {{- end }}
       priorityClassName: {{ .Values.priorityClassName | quote }}
+      {{- if .Values.securityContext }}
+      securityContext: {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- end }}
 {{- with .Values.linux.tolerations }}
       tolerations:
 {{ toYaml . | indent 8 }}
@@ -148,7 +151,4 @@ spec:
             path: {{ .Values.linux.kubelet }}/plugins_registry/
             type: DirectoryOrCreate
           name: registration-dir
-      {{- if .Values.securityContext }}
-      securityContext: {{- toYaml .Values.securityContext | nindent 8 }}
-      {{- end }}
 {{- end -}}
diff --git a/charts/latest/csi-driver-smb/values.yaml b/charts/latest/csi-driver-smb/values.yaml
@@ -150,4 +150,4 @@ priorityClassName: system-cluster-critical
 ## Security context give the opportunity to run container as nonroot by setting a securityContext
 ## by example :
 ## securityContext: { runAsUser: 1001 }
-securityContext: {}
+securityContext: { seccompProfile: {type: RuntimeDefault} }
diff --git a/deploy/csi-smb-controller.yaml b/deploy/csi-smb-controller.yaml
@@ -19,6 +19,9 @@ spec:
       nodeSelector:
         kubernetes.io/os: linux
       priorityClassName: system-cluster-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       tolerations:
         - key: "node-role.kubernetes.io/master"
           operator: "Exists"

diff --git a/deploy/csi-smb-node-windows.yaml b/deploy/csi-smb-node-windows.yaml
@@ -24,6 +24,9 @@ spec:
       nodeSelector:
         kubernetes.io/os: windows
       priorityClassName: system-node-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: csi-smb-node-sa
       containers:
         - name: liveness-probe

diff --git a/deploy/csi-smb-node.yaml b/deploy/csi-smb-node.yaml
@@ -23,6 +23,9 @@ spec:
       nodeSelector:
         kubernetes.io/os: linux
       priorityClassName: system-node-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       tolerations:
         - operator: "Exists"
       containers: