Changes for CSI NFS controller and nodes (#55)

Signed-off-by: v.oleynikov <[email protected]>

Author: duckhawk

charts/helm_lib/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
 type: library
 name: deckhouse_lib_helm
-version: 1.20.0
+version: 1.21.0
 description: "Helm utils template definitions for Deckhouse modules."

charts/helm_lib/README.md

@@ -47,10 +47,12 @@
 | [helm_lib_module_pod_security_context_run_as_user_deckhouse](#helm_lib_module_pod_security_context_run_as_user_deckhouse) |
 | [helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs](#helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs) |
 | [helm_lib_module_pod_security_context_run_as_user_root](#helm_lib_module_pod_security_context_run_as_user_root) |
+| [helm_lib_module_pod_security_context_runtime_default](#helm_lib_module_pod_security_context_runtime_default) |
 | [helm_lib_module_container_security_context_not_allow_privilege_escalation](#helm_lib_module_container_security_context_not_allow_privilege_escalation) |
 | [helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux](#helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux) |
 | [helm_lib_module_container_security_context_read_only_root_filesystem](#helm_lib_module_container_security_context_read_only_root_filesystem) |
 | [helm_lib_module_container_security_context_privileged](#helm_lib_module_container_security_context_privileged) |
+| [helm_lib_module_container_security_context_escalated_sys_admin_privileged](#helm_lib_module_container_security_context_escalated_sys_admin_privileged) |
 | [helm_lib_module_container_security_context_privileged_read_only_root_filesystem](#helm_lib_module_container_security_context_privileged_read_only_root_filesystem) |
 | [helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all](#helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all) |
 | [helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add](#helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add) |
@@ -529,6 +531,19 @@ list:
 -  Template context with .Values, .Chart, etc 
 
 
+### helm_lib_module_pod_security_context_runtime_default
+
+ returns PodSecurityContext parameters for Pod with seccomp profile RuntimeDefault 
+
+#### Usage
+
+`{{ include "helm_lib_module_pod_security_context_runtime_default" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
+
 ### helm_lib_module_container_security_context_not_allow_privilege_escalation
 
  returns SecurityContext parameters for Container with allowPrivilegeEscalation false 
@@ -575,6 +590,16 @@ list:
 
 
 
+### helm_lib_module_container_security_context_escalated_sys_admin_privileged
+
+ returns SecurityContext parameters for Container running privileged with escalation and sys_admin 
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . }} `
+
+
+
 ### helm_lib_module_container_security_context_privileged_read_only_root_filesystem
 
  returns SecurityContext parameters for Container running privileged with read only root filesystem 

charts/helm_lib/templates/_csi_controller.tpl

@@ -172,7 +172,11 @@ spec:
       {{- include "helm_lib_priority_class" (tuple $context "system-cluster-critical") | nindent 6 }}
       {{- include "helm_lib_node_selector" (tuple $context "master") | nindent 6 }}
       {{- include "helm_lib_tolerations" (tuple $context "any-node" "with-uninitialized") | nindent 6 }}
+{{- if $context.Values.global.enabledModules | has "csi-nfs" }}
+      {{- include "helm_lib_module_pod_security_context_runtime_default" . | nindent 6 }}
+{{- else }}
       {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 6 }}
+{{- end }}
       serviceAccountName: csi
       containers:
       - name: provisioner
@@ -324,7 +328,11 @@ spec:
             {{- include "livenessprobe_resources" $context | nindent 12 }}
   {{- end }}
       - name: controller
+{{- if $context.Values.global.enabledModules | has "csi-nfs" }}
+        {{- include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . | nindent 8 }}
+{{- else }}
         {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+{{- end }}
         image: {{ $controllerImage | quote }}
         args:
     {{- if $additionalControllerArgs }}

charts/helm_lib/templates/_csi_node.tpl

@@ -28,7 +28,7 @@ memory: 25Mi
   {{- $driverRegistrarImageName := join "" (list "csiNodeDriverRegistrar" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }}
   {{- $driverRegistrarImage := include "helm_lib_module_common_image_no_fail" (list $context $driverRegistrarImageName) }}
   {{- if $driverRegistrarImage }}
-    {{- if or (include "_helm_lib_cloud_or_hybrid_cluster" $context) ($context.Values.global.enabledModules | has "ceph-csi") }}
+    {{- if or (include "_helm_lib_cloud_or_hybrid_cluster" $context) ($context.Values.global.enabledModules | has "ceph-csi") ($context.Values.global.enabledModules | has "csi-nfs") }}
       {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
 ---
 apiVersion: autoscaling.k8s.io/v1
@@ -88,7 +88,7 @@ spec:
                 - CloudEphemeral
                 - CloudPermanent
                 - CloudStatic
-                {{- if or (eq $fullname "csi-node-rbd") (eq $fullname "csi-node-cephfs") }}
+                {{- if or (eq $fullname "csi-node-rbd") (eq $fullname "csi-node-cephfs") (eq $fullname "csi-nfs") }}
                 - Static
                 {{- end }}
       imagePullSecrets:

charts/helm_lib/templates/_module_security_context.tpl

@@ -62,6 +62,15 @@ securityContext:
   runAsGroup: 0
 {{- end }}
 
+{{- /* Usage: {{ include "helm_lib_module_pod_security_context_runtime_default" . }} */ -}}
+{{- /* returns PodSecurityContext parameters for Pod with seccomp profile RuntimeDefault */ -}}
+{{- define "helm_lib_module_pod_security_context_runtime_default" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  seccompProfile:
+    type: RuntimeDefault
+{{- end }}
+
 {{- /* Usage: {{ include "helm_lib_module_container_security_context_not_allow_privilege_escalation" . }} */ -}}
 {{- /* returns SecurityContext parameters for Container with allowPrivilegeEscalation false */ -}}
 {{- define "helm_lib_module_container_security_context_not_allow_privilege_escalation" -}}
@@ -97,6 +106,17 @@ securityContext:
   privileged: true
 {{- end }}
 
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . }} */ -}}
+{{- /* returns SecurityContext parameters for Container running privileged with escalation and sys_admin */ -}}
+{{- define "helm_lib_module_container_security_context_escalated_sys_admin_privileged" -}}
+securityContext:
+  allowPrivilegeEscalation: true
+  capabilities:
+    add:
+    - SYS_ADMIN
+  privileged: true
+{{- end }}
+
 {{- /* Usage: {{ include "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" . }} */ -}}
 {{- /* returns SecurityContext parameters for Container running privileged with read only root filesystem */ -}}
 {{- define "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" -}}