feat: add securityContext for pod and container

Signed-off-by: Jan Jansen <[email protected]>

Author: farodin91

charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml

@@ -61,6 +61,10 @@ spec:
             - mountPath: /csi
               name: socket-dir
           resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
+          {{- with .Values.controller.containerSecurityContext.csiProvisioner }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
         - name: liveness-probe
           image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
           args:
@@ -73,13 +77,12 @@ spec:
             - name: socket-dir
               mountPath: /csi
           resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
+          {{- with .Values.controller.containerSecurityContext.livenessProbe }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
         - name: nfs
           image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
-          securityContext:
-            privileged: true
-            capabilities:
-              add: ["SYS_ADMIN"]
-            allowPrivilegeEscalation: true
           imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
           args:
             - "--v={{ .Values.controller.logLevel }}"
@@ -114,10 +117,17 @@ spec:
             - mountPath: /csi
               name: socket-dir
           resources: {{- toYaml .Values.controller.resources.nfs | nindent 12 }}
+          {{- with .Values.controller.containerSecurityContext.nfs }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       volumes:
         - name: pods-mount-dir
           hostPath:
             path: {{ .Values.kubeletDir }}/pods
             type: Directory
         - name: socket-dir
           emptyDir: {}
+      {{- with .Values.controller.securityContext }}
+      securityContext: {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml

@@ -51,6 +51,10 @@ spec:
             - name: socket-dir
               mountPath: /csi
           resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
+          {{- with .Values.node.containerSecurityContext.livenessProbe }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
         - name: node-driver-registrar
           image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
           livenessProbe:
@@ -79,12 +83,11 @@ spec:
             - name: registration-dir
               mountPath: /registration
           resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }}
-        - name: nfs
+          {{- with .Values.node.containerSecurityContext.nodeDriverRegistrar }}
           securityContext:
-            privileged: true
-            capabilities:
-              add: ["SYS_ADMIN"]
-            allowPrivilegeEscalation: true
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        - name: nfs
           image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
           args :
             - "--v={{ .Values.node.logLevel }}"
@@ -119,6 +122,10 @@ spec:
               mountPath: {{ .Values.kubeletDir }}/pods
               mountPropagation: "Bidirectional"
           resources: {{- toYaml .Values.node.resources.nfs | nindent 12 }}
+          {{- with .Values.node.containerSecurityContext.nfs }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       volumes:
         - name: socket-dir
           hostPath:
@@ -132,3 +139,6 @@ spec:
             path: {{ .Values.kubeletDir }}/plugins_registry
             type: Directory
           name: registration-dir
+      {{- with .Values.node.securityContext }}
+      securityContext: {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/latest/csi-driver-nfs/values.yaml

@@ -77,6 +77,20 @@ controller:
       requests:
         cpu: 10m
         memory: 20Mi
+  containerSecurityContext:
+    csiProvisioner:
+      readOnlyRootFilesystem: true
+    livenessProbe:
+      readOnlyRootFilesystem: true
+    nfs:
+      privileged: true
+      capabilities:
+        add: ["SYS_ADMIN"]
+      allowPrivilegeEscalation: true
+  ## Security context give the opportunity to run container as nonroot by setting a securityContext
+  ## by example :
+  ## securityContext: { runAsUser: 1001 }
+  securityContext: {}
 
 node:
   name: csi-nfs-node
@@ -108,6 +122,19 @@ node:
       requests:
         cpu: 10m
         memory: 20Mi
+  containerSecurityContext:
+    livenessProbe:
+      readOnlyRootFilesystem: true
+    nodeDriverRegistrar: {}
+    nfs:
+      privileged: true
+      capabilities:
+        add: ["SYS_ADMIN"]
+      allowPrivilegeEscalation: true
+  ## Security context give the opportunity to run container as nonroot by setting a securityContext
+  ## by example :
+  ## securityContext: { runAsUser: 1001 }
+  securityContext: {}
 
 ## Reference to one or more secrets to be used when pulling images
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/