Skip to content

Commit d765a7c

Browse files
max-allanmax-allan
committed
Support security context
1 parent 9fec323 commit d765a7c

File tree

3 files changed

+29
-2
lines changed

3 files changed

+29
-2
lines changed

manifest_staging/charts/secrets-store-csi-driver/README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@ The following table lists the configurable parameters of the csi-secrets-store-p
3535
| `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` |
3636
| `linux.image.tag` | Linux image tag | `v1.4.7` |
3737
| `linux.image.digest` | Linux image digest, image pull from digest instead of tag if specified | `""` |
38+
| `linux.podSecurityContext` | Linux pod security context | `{}` |
39+
| `linux.securityContext` | Linux secrets-store container security context | `{"privileged": "true"}` |
3840
| `linux.crds.enabled` | If the CRDs should be managed by the chart | `true` |
3941
| `linux.crds.image.repository` | Linux crds image repository | `registry.k8s.io/csi-secrets-store/driver-crds` |
4042
| `linux.crds.image.pullPolicy` | Linux crds image pull policy | `IfNotPresent` |
@@ -55,12 +57,14 @@ The following table lists the configurable parameters of the csi-secrets-store-p
5557
| `linux.registrarImage.tag` | Linux node-driver-registrar image tag | `v2.11.1` |
5658
| `linux.registrarImage.digest` | Linux node-driver-registrar image digest, image pull from digest instead of tag if specified | `""` |
5759
| `linux.registrar.resources` | The resource request/limits for the linux node-driver-registrar container image | `limits: 100m CPU, 100Mi; requests: 10m CPU, 20Mi` |
60+
| `linux.registrar.securityContext` | The security context for the linux node-driver-registrar container image | `{}` |
5861
| `linux.registrar.logVerbosity` | Log level for node-driver-registrar. Uses V logs (klog) | `5` |
5962
| `linux.livenessProbeImage.repository` | Linux liveness-probe image repository | `registry.k8s.io/sig-storage/livenessprobe` |
6063
| `linux.livenessProbeImage.pullPolicy` | Linux liveness-probe image pull policy | `IfNotPresent` |
6164
| `linux.livenessProbeImage.tag` | Linux liveness-probe image tag | `v2.13.1` |
6265
| `linux.livenessProbeImage.digest` | Linux liveness-probe image digest, image pull from digest instead of tag if specified | `""` |
6366
| `linux.livenessProbe.resources` | The resource request/limits for the linux liveness-probe container image | `limits: 100m CPU, 100Mi; requests: 10m CPU, 20Mi` |
67+
| `linux.livenessProbe.securityContext` | The security context for the linux liveness-probe container | `{}` |
6468
| `linux.env` | Environment variables to be passed for the daemonset on linux nodes | `[]` |
6569
| `linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` |
6670
| `linux.crds.annotations` | Linux *helm hook* annotations | `{}` |

manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,12 @@ spec:
3636
{{- end }}
3737
affinity:
3838
{{ toYaml .Values.linux.affinity | indent 8 }}
39+
{{- if .Values.linux.podSecurityContext }}
40+
securityContext:
41+
{{- with .Values.linux.podSecurityContext }}
42+
{{- toYaml . | nindent 8 }}
43+
{{- end }}
44+
{{- end }}
3945
containers:
4046
- name: node-driver-registrar
4147
{{- if .Values.linux.registrarImage.digest }}
@@ -48,6 +54,10 @@ spec:
4854
- --csi-address=/csi/csi.sock
4955
- --kubelet-registration-path={{ .Values.linux.kubeletRootDir }}/plugins/csi-secrets-store/csi.sock
5056
imagePullPolicy: {{ .Values.linux.registrarImage.pullPolicy }}
57+
{{- if .Values.linux.registrar.securityContext }}
58+
securityContext:
59+
{{- toYaml .Values.linux.registrar.securityContext | nindent 12}}
60+
{{- end }}
5161
volumeMounts:
5262
- name: plugin-dir
5363
mountPath: /csi
@@ -103,7 +113,9 @@ spec:
103113
fieldPath: spec.nodeName
104114
imagePullPolicy: {{ .Values.linux.image.pullPolicy }}
105115
securityContext:
106-
privileged: true
116+
{{- with .Values.linux.securityContext }}
117+
{{- toYaml . | nindent 12 }}
118+
{{- end }}
107119
ports:
108120
- containerPort: {{ .Values.livenessProbe.port }}
109121
name: healthz
@@ -148,6 +160,10 @@ spec:
148160
image: "{{ .Values.linux.livenessProbeImage.repository }}:{{ .Values.linux.livenessProbeImage.tag }}"
149161
{{- end }}
150162
imagePullPolicy: {{ .Values.linux.livenessProbeImage.pullPolicy }}
163+
{{- if .Values.linux.livenessProbe.securityContext }}
164+
securityContext:
165+
{{- toYaml .Values.linux.livenessProbe.securityContext | nindent 12 }}
166+
{{- end }}
151167
args:
152168
- --csi-address=/csi/csi.sock
153169
- --probe-timeout=3s

manifest_staging/charts/secrets-store-csi-driver/values.yaml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ linux:
66
#digest: sha256:
77
pullPolicy: IfNotPresent
88

9+
# Pod security context
10+
podSecurityContext: {}
11+
912
crds:
1013
enabled: true
1114
image:
@@ -22,6 +25,9 @@ linux:
2225
# memory: "512Mi"
2326
annotations: {}
2427
podLabels: {}
28+
# The secrets-store container security context
29+
securityContext:
30+
privileged: true
2531

2632
## Prevent the CSI driver from being scheduled on virtual-kubelet nodes
2733
affinity:
@@ -58,7 +64,7 @@ linux:
5864
cpu: 10m
5965
memory: 20Mi
6066
logVerbosity: 5
61-
67+
securityContext: {}
6268
livenessProbeImage:
6369
repository: registry.k8s.io/sig-storage/livenessprobe
6470
tag: v2.13.1
@@ -73,6 +79,7 @@ linux:
7379
requests:
7480
cpu: 10m
7581
memory: 20Mi
82+
securityContext: {}
7683

7784
updateStrategy:
7885
type: RollingUpdate

0 commit comments

Comments
 (0)