Run all csi-hostpath containers as privileged
On systems with SELinux enabled, non-privileged containers can't access data of privileged containers. Since the CSI driver socket is exposed by a privileged container, all sidecars must be privileged too.
This commit is contained in:
		| @@ -44,6 +44,11 @@ spec: | ||||
|           args: | ||||
|             - --v=5 | ||||
|             - --csi-address=/csi/csi.sock | ||||
|           securityContext: | ||||
|             # This is necessary only for systems with SELinux, where | ||||
|             # non-privileged sidecar containers cannot access unix domain socket | ||||
|             # created by privileged CSI driver container. | ||||
|             privileged: true | ||||
|           volumeMounts: | ||||
|           - mountPath: /csi | ||||
|             name: socket-dir | ||||
|   | ||||
| @@ -46,6 +46,9 @@ spec: | ||||
|             - --csi-address=/csi/csi.sock | ||||
|             - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-hostpath/csi.sock | ||||
|           securityContext: | ||||
|             # This is necessary only for systems with SELinux, where | ||||
|             # non-privileged sidecar containers cannot access unix domain socket | ||||
|             # created by privileged CSI driver container. | ||||
|             privileged: true | ||||
|           env: | ||||
|             - name: KUBE_NODE_NAME | ||||
|   | ||||
| @@ -46,6 +46,11 @@ spec: | ||||
|             - -v=5 | ||||
|             - --csi-address=/csi/csi.sock | ||||
|             - --connection-timeout=15s | ||||
|           securityContext: | ||||
|             # This is necessary only for systems with SELinux, where | ||||
|             # non-privileged sidecar containers cannot access unix domain socket | ||||
|             # created by privileged CSI driver container. | ||||
|             privileged: true | ||||
|           volumeMounts: | ||||
|             - mountPath: /csi | ||||
|               name: socket-dir | ||||
|   | ||||
| @@ -37,6 +37,11 @@ spec: | ||||
|           env: | ||||
|             - name: ADDRESS | ||||
|               value: /csi/csi.sock | ||||
|           securityContext: | ||||
|             # This is necessary only for systems with SELinux, where | ||||
|             # non-privileged sidecar containers cannot access unix domain socket | ||||
|             # created by privileged CSI driver container. | ||||
|             privileged: true | ||||
|           imagePullPolicy: Always | ||||
|           volumeMounts: | ||||
|             - mountPath: /csi | ||||
|   | ||||
| @@ -38,6 +38,11 @@ spec: | ||||
|         env: | ||||
|         - name: ADDRESS | ||||
|           value: /csi/csi.sock | ||||
|         securityContext: | ||||
|           # This is necessary only for systems with SELinux, where | ||||
|           # non-privileged sidecar containers cannot access unix domain socket | ||||
|           # created by privileged CSI driver container. | ||||
|           privileged: true | ||||
|         imagePullPolicy: Always | ||||
|         volumeMounts: | ||||
|         - name: socket-dir | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Jan Safranek
					Jan Safranek