Skip to content

Commit

Permalink
Merge pull request #422 from farodin91/securityContext
Browse files Browse the repository at this point in the history 
feat: add readOnlyRootFilesystem if possible
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot authored Mar 18, 2023
2 parents cd50d48 + 18432fa commit 2999e7e
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 0 deletions.
Binary file modified charts/latest/csi-driver-nfs-v0.0.0.tgz
View file
Binary file not shown.
9 changes: 9 additions & 0 deletions charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ spec:
- mountPath: /csi
name: socket-dir
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
- name: liveness-probe
image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
args:
Expand All @@ -73,13 +75,16 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
- name: nfs
image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
readOnlyRootFilesystem: true
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
args:
- "--v={{ .Values.controller.logLevel }}"
Expand Down Expand Up @@ -113,6 +118,8 @@ spec:
mountPropagation: "Bidirectional"
- mountPath: /csi
name: socket-dir
- mountPath: {{ .Values.controller.workingMountDir }}
name: tmp-dir
resources: {{- toYaml .Values.controller.resources.nfs | nindent 12 }}
volumes:
- name: pods-mount-dir
Expand All @@ -121,3 +128,5 @@ spec:
type: Directory
- name: socket-dir
emptyDir: {}
- name: tmp-dir
emptyDir: {}
3 changes: 3 additions & 0 deletions charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
- name: node-driver-registrar
image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
livenessProbe:
Expand Down Expand Up @@ -85,6 +87,7 @@ spec:
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
readOnlyRootFilesystem: true
image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
args :
- "--v={{ .Values.node.logLevel }}"
Expand Down

0 comments on commit 2999e7e

Please sign in to comment.