Merge pull request #437 from andyzhangx/add-seccompProfile

feat: enable securityContext.seccompProfile, set system-cluster-critical
kubernetes-csi · Apr 9, 2023 · fa6a1e7 · fa6a1e7
2 parents 3f5c566 + 847601b
commit fa6a1e7
Show file tree

Hide file tree

Showing 7 changed files with 22 additions and 0 deletions.
diff --git a/charts/latest/csi-driver-nfs-v0.0.0.tgz b/charts/latest/csi-driver-nfs-v0.0.0.tgz
diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
@@ -40,6 +40,9 @@ spec:
 {{ toYaml . | indent 8 }}
 {{- end }}
       priorityClassName: system-cluster-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
 {{- with .Values.controller.tolerations }}
       tolerations:
 {{ toYaml . | indent 8 }}

diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
@@ -25,6 +25,10 @@ spec:
       hostNetwork: true # original nfs connection would be broken without hostNetwork setting
       dnsPolicy: {{ .Values.controller.dnsPolicy }}
       serviceAccountName: csi-nfs-node-sa
+      priorityClassName: system-node-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
 {{- with .Values.node.affinity }}
       affinity:
 {{ toYaml . | indent 8 }}

diff --git a/charts/latest/csi-driver-nfs/templates/csi-snapshot-controller.yaml b/charts/latest/csi-driver-nfs/templates/csi-snapshot-controller.yaml
@@ -40,6 +40,10 @@ spec:
         app: {{ .Values.externalSnapshotter.name }}
     spec:
       serviceAccountName: {{ .Values.externalSnapshotter.name }}
+      priorityClassName: system-cluster-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: {{ .Values.externalSnapshotter.name }}
           image: {{ .Values.image.externalSnapshotter.repository }}:{{ .Values.image.externalSnapshotter.tag }}

diff --git a/deploy/csi-nfs-controller.yaml b/deploy/csi-nfs-controller.yaml
@@ -20,6 +20,9 @@ spec:
       nodeSelector:
         kubernetes.io/os: linux  # add "kubernetes.io/role: master" to run controller on master node
       priorityClassName: system-cluster-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       tolerations:
         - key: "node-role.kubernetes.io/master"
           operator: "Exists"

diff --git a/deploy/csi-nfs-node.yaml b/deploy/csi-nfs-node.yaml
@@ -20,6 +20,10 @@ spec:
       hostNetwork: true  # original nfs connection would be broken without hostNetwork setting
       dnsPolicy: Default  # available values: Default, ClusterFirstWithHostNet, ClusterFirst
       serviceAccountName: csi-nfs-node-sa
+      priorityClassName: system-node-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:

diff --git a/deploy/csi-snapshot-controller.yaml b/deploy/csi-snapshot-controller.yaml
@@ -31,6 +31,10 @@ spec:
         app: snapshot-controller
     spec:
       serviceAccountName: snapshot-controller
+      priorityClassName: system-cluster-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: snapshot-controller
           image: registry.k8s.io/sig-storage/snapshot-controller:v6.1.0