Merge pull request #422 from farodin91/securityContext

k8s-ci-robot · web-flow · commit 2999e7e3fb6a · 2023-03-17T19:15:15.000-07:00
feat: add readOnlyRootFilesystem if possible
diff --git a/charts/latest/csi-driver-nfs-v0.0.0.tgz b/charts/latest/csi-driver-nfs-v0.0.0.tgz
diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
@@ -61,6 +61,8 @@ spec:
             - mountPath: /csi
               name: socket-dir
           resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
+          securityContext:
+            readOnlyRootFilesystem: true
         - name: liveness-probe
           image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
           args:
@@ -73,13 +75,16 @@ spec:
             - name: socket-dir
               mountPath: /csi
           resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
+          securityContext:
+            readOnlyRootFilesystem: true
         - name: nfs
           image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
           securityContext:
             privileged: true
             capabilities:
               add: ["SYS_ADMIN"]
             allowPrivilegeEscalation: true
+            readOnlyRootFilesystem: true
           imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
           args:
             - "--v={{ .Values.controller.logLevel }}"
@@ -113,6 +118,8 @@ spec:
               mountPropagation: "Bidirectional"
             - mountPath: /csi
               name: socket-dir
+            - mountPath: {{ .Values.controller.workingMountDir }}
+              name: tmp-dir
           resources: {{- toYaml .Values.controller.resources.nfs | nindent 12 }}
       volumes:
         - name: pods-mount-dir
@@ -121,3 +128,5 @@ spec:
             type: Directory
         - name: socket-dir
           emptyDir: {}
+        - name: tmp-dir
+          emptyDir: {}
diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
@@ -51,6 +51,8 @@ spec:
             - name: socket-dir
               mountPath: /csi
           resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
+          securityContext:
+            readOnlyRootFilesystem: true
         - name: node-driver-registrar
           image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
           livenessProbe:
@@ -85,6 +87,7 @@ spec:
             capabilities:
               add: ["SYS_ADMIN"]
             allowPrivilegeEscalation: true
+            readOnlyRootFilesystem: true
           image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
           args :
             - "--v={{ .Values.node.logLevel }}"
