search

k8snetworkplumbingwg / sriov-cni

DPDK & SR-IOV CNI plugin
Apache License 2.0
307 stars 146 forks source link

Improve daemonset security #170

Closed martinkennelly closed 3 years ago

martinkennelly commented 3 years ago

Signed-off-by: Martin Kennelly martin.kennelly@intel.com

nayihz commented 2 years ago

The daemonset can not run when set the securityContext.

# kubectl logs -f -nkube-system kube-sriov-cni-ds-amd64-g49n2
cp: can't create '/host/opt/cni/bin/sriov': Permission denied

It will run successfully after delete the securityContext config.

nayihz commented 2 years ago

I confused that why we set 

securityContext:
     allowPrivilegeEscalation: false
     privileged: true
     readOnlyRootFilesystem: true

when we need to copy binary file to host.