Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: helm: add support to override securityContext #1734

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

WIP: helm: add support to override securityContext #1734

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions .local/debug-driver.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,14 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.3.0
imagePullPolicy: IfNotPresent
Expand All @@ -59,6 +67,14 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
volumes:
- name: mountpoint-dir
hostPath:
Expand Down Expand Up @@ -118,6 +134,14 @@ spec:
requests:
cpu: 250m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
volumes:
- name: driver-volume
persistentVolumeClaim:
Expand Down
24 changes: 24 additions & 0 deletions deploy/secrets-store-csi-driver-windows.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,14 @@ spec:
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
- name: secrets-store
image: registry.k8s.io/csi-secrets-store/driver:v1.4.7
args:
Expand Down Expand Up @@ -84,6 +92,14 @@ spec:
mountPath: "C:\\var\\lib\\kubelet\\pods"
- name: providers-dir
mountPath: C:\k\secrets-store-csi-providers
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.13.1
imagePullPolicy: IfNotPresent
Expand All @@ -102,6 +118,14 @@ spec:
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
volumes:
- name: mountpoint-dir
hostPath:
Expand Down
24 changes: 24 additions & 0 deletions deploy/secrets-store-csi-driver.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,14 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
- name: secrets-store
image: registry.k8s.io/csi-secrets-store/driver:v1.4.7
args:
Expand Down Expand Up @@ -90,6 +98,14 @@ spec:
requests:
cpu: 50m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.13.1
imagePullPolicy: IfNotPresent
Expand All @@ -108,6 +124,14 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
volumes:
- name: mountpoint-dir
hostPath:
Expand Down
16 changes: 16 additions & 0 deletions ...t_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,10 @@ spec:
mountPath: C:\csi
- name: registration-dir
mountPath: C:\registration
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.windows.registrar.resources }}
resources:
{{ toYaml . | indent 12 }}
Expand Down Expand Up @@ -134,6 +138,10 @@ spec:
{{- if .Values.windows.volumeMounts }}
{{- toYaml .Values.windows.volumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.windows.driver.resources }}
resources:
{{ toYaml . | indent 12 }}
Expand All @@ -153,13 +161,21 @@ spec:
volumeMounts:
- name: plugin-dir
mountPath: C:\csi
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.windows.livenessProbe.resources }}
resources:
{{ toYaml . | indent 12 }}
{{- end }}
{{- if .Values.windows.priorityClassName }}
priorityClassName: {{ .Values.windows.priorityClassName | quote }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
volumes:
- name: mountpoint-dir
hostPath:
Expand Down
16 changes: 16 additions & 0 deletions manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,10 @@ spec:
mountPath: /csi
- name: registration-dir
mountPath: /registration
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.linux.registrar.resources }}
resources:
{{ toYaml . | indent 12 }}
Expand Down Expand Up @@ -137,6 +141,10 @@ spec:
{{- if .Values.linux.volumeMounts }}
{{- toYaml .Values.linux.volumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.linux.driver.resources }}
resources:
{{ toYaml . | indent 12 }}
Expand All @@ -156,13 +164,21 @@ spec:
volumeMounts:
- name: plugin-dir
mountPath: /csi
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.linux.livenessProbe.resources }}
resources:
{{ toYaml . | indent 12 }}
{{- end }}
{{- if .Values.linux.priorityClassName }}
priorityClassName: {{ .Values.linux.priorityClassName | quote }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
volumes:
- name: mountpoint-dir
hostPath:
Expand Down
17 changes: 16 additions & 1 deletion manifest_staging/charts/secrets-store-csi-driver/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ linux:
tag: v1.4.7
pullPolicy: IfNotPresent
## Optionally override resource limits for crd hooks(jobs)
resources: {}
resources:
{}
# requests:
# cpu: "100m"
# memory: "128Mi"
Expand Down Expand Up @@ -242,3 +243,17 @@ tokenRequests: []
# -- Labels to apply to all resources
commonLabels: {}
# team_name: dev

securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000

# podSecurityContext -- [Security context for Pod](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
podSecurityContext:
# fsGroup: 1000