From 158ee3ea42d783dcfeae44bd756801e4db87f5d9 Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 28 Aug 2025 18:32:26 -0700 Subject: [PATCH] vault/csi-provider: update recommendations for OpenShift Also use the chart values to set `privileged: true` instead of directly patching the daemonSet. Across 1.20-1.18, 1.16 doc versions. --- .../docs/platform/k8s/csi/installation.mdx | 26 +++++++------------ .../docs/platform/k8s/csi/installation.mdx | 26 +++++++------------ .../deploy/kubernetes/csi/installation.mdx | 26 +++++++------------ .../deploy/kubernetes/csi/installation.mdx | 26 +++++++------------ 4 files changed, 36 insertions(+), 68 deletions(-) diff --git a/content/vault/v1.16.x/content/docs/platform/k8s/csi/installation.mdx b/content/vault/v1.16.x/content/docs/platform/k8s/csi/installation.mdx index e3a41988c..2e8d92606 100644 --- a/content/vault/v1.16.x/content/docs/platform/k8s/csi/installation.mdx +++ b/content/vault/v1.16.x/content/docs/platform/k8s/csi/installation.mdx @@ -46,28 +46,20 @@ more. ## Installation on OpenShift -We recommend using the [Vault agent injector on Openshift](/vault/docs/platform/k8s/helm/openshift) -instead of the Secrets Store CSI driver. OpenShift -[does not recommend](https://docs.openshift.com/container-platform/4.9/storage/persistent_storage/persistent-storage-hostpath.html) -using `hostPath` mounting in production or -[certify Helm charts](https://github.com/redhat-certification/chart-verifier/blob/dbf89bff2d09142e4709d689a9f4037a739c2244/docs/helm-chart-checks.md#table-2-helm-chart-default-checks) -using CSI objects because pods must run as privileged. Pods will have elevated access to -other pods on the same node, which OpenShift does not recommend. - You can run the Secrets Store CSI driver with additional security configurations on a OpenShift development or testing cluster. -Deploy the Secrets Store CSI driver and Vault Helm chart -to your OpenShift cluster. - -Then, patch the `DaemonSet` for the Vault CSI provider to -run with a privileged security context. +Deploy the Secrets Store CSI driver and Vault Helm chart to your OpenShift +cluster. Set the [provider container's securityContext](/vault/docs/deploy/kubernetes/helm/configuration#container-2) +to `privileged: true` in the Vault Helm chart values: -```shell-session -$ kubectl patch daemonset vault-csi-provider \ - --type='json' \ - --patch='[{"op": "add", "path": "/spec/template/spec/containers/0/securityContext", "value": {"privileged": true} }]' +```yaml +csi: + daemonSet: + securityContext: + container: + privileged: true ``` The Secrets Store CSI driver and Vault CSI provider need `hostPath` mount access. diff --git a/content/vault/v1.18.x/content/docs/platform/k8s/csi/installation.mdx b/content/vault/v1.18.x/content/docs/platform/k8s/csi/installation.mdx index b4acd0b67..639ebe49a 100644 --- a/content/vault/v1.18.x/content/docs/platform/k8s/csi/installation.mdx +++ b/content/vault/v1.18.x/content/docs/platform/k8s/csi/installation.mdx @@ -46,28 +46,20 @@ more. ## Installation on OpenShift -We recommend using the [Vault agent injector on Openshift](/vault/docs/platform/k8s/helm/openshift) -instead of the Secrets Store CSI driver. OpenShift -[does not recommend](https://docs.openshift.com/container-platform/4.9/storage/persistent_storage/persistent-storage-hostpath.html) -using `hostPath` mounting in production or -[certify Helm charts](https://github.com/redhat-certification/chart-verifier/blob/dbf89bff2d09142e4709d689a9f4037a739c2244/docs/helm-chart-checks.md#table-2-helm-chart-default-checks) -using CSI objects because pods must run as privileged. Pods will have elevated access to -other pods on the same node, which OpenShift does not recommend. - You can run the Secrets Store CSI driver with additional security configurations on a OpenShift development or testing cluster. -Deploy the Secrets Store CSI driver and Vault Helm chart -to your OpenShift cluster. - -Then, patch the `DaemonSet` for the Vault CSI provider to -run with a privileged security context. +Deploy the Secrets Store CSI driver and Vault Helm chart to your OpenShift +cluster. Set the [provider container's securityContext](/vault/docs/deploy/kubernetes/helm/configuration#container-2) +to `privileged: true` in the Vault Helm chart values: -```shell-session -$ kubectl patch daemonset vault-csi-provider \ - --type='json' \ - --patch='[{"op": "add", "path": "/spec/template/spec/containers/0/securityContext", "value": {"privileged": true} }]' +```yaml +csi: + daemonSet: + securityContext: + container: + privileged: true ``` The Secrets Store CSI driver and Vault CSI provider need `hostPath` mount access. diff --git a/content/vault/v1.19.x/content/docs/deploy/kubernetes/csi/installation.mdx b/content/vault/v1.19.x/content/docs/deploy/kubernetes/csi/installation.mdx index b4acd0b67..639ebe49a 100644 --- a/content/vault/v1.19.x/content/docs/deploy/kubernetes/csi/installation.mdx +++ b/content/vault/v1.19.x/content/docs/deploy/kubernetes/csi/installation.mdx @@ -46,28 +46,20 @@ more. ## Installation on OpenShift -We recommend using the [Vault agent injector on Openshift](/vault/docs/platform/k8s/helm/openshift) -instead of the Secrets Store CSI driver. OpenShift -[does not recommend](https://docs.openshift.com/container-platform/4.9/storage/persistent_storage/persistent-storage-hostpath.html) -using `hostPath` mounting in production or -[certify Helm charts](https://github.com/redhat-certification/chart-verifier/blob/dbf89bff2d09142e4709d689a9f4037a739c2244/docs/helm-chart-checks.md#table-2-helm-chart-default-checks) -using CSI objects because pods must run as privileged. Pods will have elevated access to -other pods on the same node, which OpenShift does not recommend. - You can run the Secrets Store CSI driver with additional security configurations on a OpenShift development or testing cluster. -Deploy the Secrets Store CSI driver and Vault Helm chart -to your OpenShift cluster. - -Then, patch the `DaemonSet` for the Vault CSI provider to -run with a privileged security context. +Deploy the Secrets Store CSI driver and Vault Helm chart to your OpenShift +cluster. Set the [provider container's securityContext](/vault/docs/deploy/kubernetes/helm/configuration#container-2) +to `privileged: true` in the Vault Helm chart values: -```shell-session -$ kubectl patch daemonset vault-csi-provider \ - --type='json' \ - --patch='[{"op": "add", "path": "/spec/template/spec/containers/0/securityContext", "value": {"privileged": true} }]' +```yaml +csi: + daemonSet: + securityContext: + container: + privileged: true ``` The Secrets Store CSI driver and Vault CSI provider need `hostPath` mount access. diff --git a/content/vault/v1.20.x/content/docs/deploy/kubernetes/csi/installation.mdx b/content/vault/v1.20.x/content/docs/deploy/kubernetes/csi/installation.mdx index b4acd0b67..639ebe49a 100644 --- a/content/vault/v1.20.x/content/docs/deploy/kubernetes/csi/installation.mdx +++ b/content/vault/v1.20.x/content/docs/deploy/kubernetes/csi/installation.mdx @@ -46,28 +46,20 @@ more. ## Installation on OpenShift -We recommend using the [Vault agent injector on Openshift](/vault/docs/platform/k8s/helm/openshift) -instead of the Secrets Store CSI driver. OpenShift -[does not recommend](https://docs.openshift.com/container-platform/4.9/storage/persistent_storage/persistent-storage-hostpath.html) -using `hostPath` mounting in production or -[certify Helm charts](https://github.com/redhat-certification/chart-verifier/blob/dbf89bff2d09142e4709d689a9f4037a739c2244/docs/helm-chart-checks.md#table-2-helm-chart-default-checks) -using CSI objects because pods must run as privileged. Pods will have elevated access to -other pods on the same node, which OpenShift does not recommend. - You can run the Secrets Store CSI driver with additional security configurations on a OpenShift development or testing cluster. -Deploy the Secrets Store CSI driver and Vault Helm chart -to your OpenShift cluster. - -Then, patch the `DaemonSet` for the Vault CSI provider to -run with a privileged security context. +Deploy the Secrets Store CSI driver and Vault Helm chart to your OpenShift +cluster. Set the [provider container's securityContext](/vault/docs/deploy/kubernetes/helm/configuration#container-2) +to `privileged: true` in the Vault Helm chart values: -```shell-session -$ kubectl patch daemonset vault-csi-provider \ - --type='json' \ - --patch='[{"op": "add", "path": "/spec/template/spec/containers/0/securityContext", "value": {"privileged": true} }]' +```yaml +csi: + daemonSet: + securityContext: + container: + privileged: true ``` The Secrets Store CSI driver and Vault CSI provider need `hostPath` mount access.