search

ceph / ceph-csi

CSI driver for Ceph
Apache License 2.0
1.19k stars 527 forks source link

allow podSecurityContexts to be set in `nodeplugin` and `provisioner` of chart `ceph-csi-cephfs` #4663

Closed 1602077 closed 2 weeks ago

1602077 commented 3 weeks ago

Describe the feature you'd like to have

Allow the pod-level security contexts to be configurable via helm values.yaml for ceph-csi-cephfs for both the nodeplugin and provisioner.

What is the value to the end user? (why is it a priority?)

End users can configure their securityContexts per environment. This is particularly important if you have an admission controller like opa or kyverno running with strict security configurations.(e.g. seccomp profile, selinux options).

How will we know we have a good solution? (acceptance criteria)

As I end user I can configure the pod-level security contexts for both the nodeplugin and provisioner.

Additional context

Proposed solution would be something along the lines of the below: with a default of no securityContext set to prevent breaking changes in end user. This allows for the flexibility to specify any of the podSecurityContext options.

# values.yaml
nodeplugin:
  podSecurityContext: {}
provisioner:
  podSecurityContext: {}
---
# charts/ceph-csi-cephfs/templates/node-plugin-daemonset.yaml
kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
...
  template:
    metadata:
    spec:
     securityContext: {{ toYaml .Values.nodeplugin.podSecurityContext | nindent 8 }}
...
---
Madhu-1 commented 3 weeks ago

@1602077 Are you facing any problem with running cephcsi in your cluster. If yes what it is and how did you solve it? this helps us to understand what we are missing and we can try to open up these settings for users

1602077 commented 3 weeks ago

Hey @Madhu-1 - As there is no seccomp profile specified in the provisioner or nodeplugin it will default to a seccomp profile of Unconfined when deployed.

This blocks me from deploying cephcsi in a cluster with an admission controller policy controller requiring for a seccomp profile to be set.

i.e. https://kyverno.io/policies/pod-security/baseline/restrict-seccomp/restrict-seccomp/.

Ideally I would like the option to be able to configure this and other properties of the securityContext at a pod level, such that I can deploy in these stricter environments.