Closed 1602077 closed 2 weeks ago
@1602077 Are you facing any problem with running cephcsi in your cluster. If yes what it is and how did you solve it? this helps us to understand what we are missing and we can try to open up these settings for users
Hey @Madhu-1 - As there is no seccomp profile specified in the provisioner or nodeplugin it will default to a seccomp profile of Unconfined
when deployed.
This blocks me from deploying cephcsi in a cluster with an admission controller policy controller requiring for a seccomp profile to be set.
i.e. https://kyverno.io/policies/pod-security/baseline/restrict-seccomp/restrict-seccomp/.
Ideally I would like the option to be able to configure this and other properties of the securityContext at a pod level, such that I can deploy in these stricter environments.
Describe the feature you'd like to have
Allow the pod-level security contexts to be configurable via helm values.yaml for
ceph-csi-cephfs
for both thenodeplugin
andprovisioner
.What is the value to the end user? (why is it a priority?)
End users can configure their securityContexts per environment. This is particularly important if you have an admission controller like opa or kyverno running with strict security configurations.(e.g. seccomp profile, selinux options).
How will we know we have a good solution? (acceptance criteria)
As I end user I can configure the pod-level security contexts for both the
nodeplugin
andprovisioner
.Additional context
Proposed solution would be something along the lines of the below: with a default of no securityContext set to prevent breaking changes in end user. This allows for the flexibility to specify any of the
podSecurityContext
options.