Skip to content

Commit 5aaee3a

Browse files
ptrvsrgptrvsrg
committed
Add SecurityPolicyException templates to helm_lib_csi_controller_manifests and helm_lib_csi_node_manifests
Signed-off-by: Sergey Petrov <sergey.petrov@flant.com>
1 parent 12b41a4 commit 5aaee3a

6 files changed

Lines changed: 1363 additions & 3 deletions

File tree

charts/helm_lib/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
apiVersion: v2
22
type: library
33
name: deckhouse_lib_helm
4-
version: 1.71.2
4+
version: 1.71.3
55
description: "Helm utils template definitions for Deckhouse modules."

charts/helm_lib/templates/_csi_controller.tpl

Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -116,6 +116,7 @@ memory: 50Mi
116116
{{- $additionalPullSecrets := $config.additionalPullSecrets }}
117117
{{- $forceCsiControllerPrivilegedContainer := $config.forceCsiControllerPrivilegedContainer | default false }}
118118
{{- $dnsPolicy := $config.dnsPolicy | default "ClusterFirstWithHostNet" }}
119+
{{- $securityPolicyExceptionEnabled := $config.securityPolicyExceptionEnabled | default false }}
119120

120121
{{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }}
121122

@@ -238,6 +239,9 @@ spec:
238239
metadata:
239240
labels:
240241
app: {{ $fullname }}
242+
{{- if and $securityPolicyExceptionEnabled ($context.Values.global.enabledModules | has "admission-policy-engine-crd") }}
243+
security.deckhouse.io/security-policy-exception: {{ $fullname }}
244+
{{- end }}
241245
{{- if or (hasPrefix "cloud-provider-" $context.Chart.Name) ($additionalCsiControllerPodAnnotations) }}
242246
annotations:
243247
{{- if hasPrefix "cloud-provider-" $context.Chart.Name }}
@@ -556,8 +560,102 @@ spec:
556560
{{- $additionalControllerVolumes | toYaml | nindent 6 }}
557561
{{- end }}
558562

563+
{{- if and $securityPolicyExceptionEnabled ($context.Values.global.enabledModules | has "admission-policy-engine-crd") }}
564+
---
565+
apiVersion: deckhouse.io/v1alpha1
566+
kind: SecurityPolicyException
567+
metadata:
568+
name: {{ $fullname }}
569+
namespace: d8-{{ $context.Chart.Name }}
570+
spec:
571+
{{- if or $forceCsiControllerPrivilegedContainer $runAsRootUser (eq $csiControllerHostNetwork "true") (ne $csiControllerHostPID "false") }}
572+
{{- if or $forceCsiControllerPrivilegedContainer $runAsRootUser }}
573+
securityContext:
574+
{{- if $forceCsiControllerPrivilegedContainer }}
575+
privileged:
576+
allowedValue: true
577+
metadata:
578+
description: |
579+
Allow privileged mode for CSI Controller.
580+
The CSI Controller requires privileged access to perform storage management operations that need direct access to host resources, including device management and volume lifecycle control.
581+
capabilities:
582+
allowedValues:
583+
add:
584+
- SYS_ADMIN
585+
metadata:
586+
description: |
587+
Allow SYS_ADMIN capability for CSI Controller.
588+
The CSI Controller requires SYS_ADMIN capability to perform privileged storage management operations such as volume provisioning, snapshotting, and direct interaction with the storage backend.
589+
{{- end }}
590+
{{- if $runAsRootUser }}
591+
runAsUser:
592+
allowedValues:
593+
- 0
594+
metadata:
595+
description: |
596+
Allow running as root user (UID 0) for CSI Controller.
597+
The CSI Controller requires root privileges to interact with storage backends, manage volume lifecycle operations, and access cloud provider APIs.
598+
runAsNonRoot:
599+
allowedValue: false
600+
metadata:
601+
description: |
602+
Allow running as root for CSI Controller.
603+
The CSI Controller requires root access for storage management operations that need elevated privileges to interact with the underlying infrastructure.
604+
{{- end }}
605+
{{- end }}
606+
{{- if or (eq $csiControllerHostNetwork "true") (ne $csiControllerHostPID "false") }}
607+
network:
608+
{{- if eq $csiControllerHostNetwork "true" }}
609+
hostNetwork:
610+
allowedValue: true
611+
metadata:
612+
description: |
613+
Allow host network access for CSI Controller.
614+
The CSI Controller requires host network access to communicate with cloud provider API endpoints for volume provisioning, attachment, snapshot, and lifecycle management operations.
615+
{{- end }}
616+
{{- if ne $csiControllerHostPID "false" }}
617+
hostPID:
618+
allowedValue: true
619+
metadata:
620+
description: |
621+
Allow host PID namespace access for CSI Controller.
622+
The CSI Controller requires host PID namespace access to interact with host processes for storage operations and coordinate with system-level services.
623+
{{- end }}
624+
{{- end }}
625+
{{- $hasHostPathVolumes := false }}
626+
{{- if $additionalControllerVolumes }}
627+
{{- range $vol := $additionalControllerVolumes }}
628+
{{- if $vol.hostPath }}
629+
{{- $hasHostPathVolumes = true }}
630+
{{- end }}
631+
{{- end }}
632+
{{- end }}
633+
{{- if $hasHostPathVolumes }}
634+
volumes:
635+
types:
636+
allowedValues:
637+
- hostPath
638+
metadata:
639+
description: |
640+
Allow hostPath volume type for CSI Controller.
641+
The CSI Controller requires hostPath volumes for accessing host-level resources needed for storage management operations specific to the cloud provider implementation.
642+
hostPath:
643+
allowedValues:
644+
{{- range $vol := $additionalControllerVolumes }}
645+
{{- if $vol.hostPath }}
646+
- path: {{ $vol.hostPath.path }}
647+
readOnly: false
648+
metadata:
649+
description: |
650+
Allow access to additional hostPath volume at {{ $vol.hostPath.path }}.
651+
This hostPath volume is required by the CSI Controller for storage management operations specific to the cloud provider implementation.
652+
{{- end }}
653+
{{- end }}
559654
{{- end }}
560655
{{- end }}
656+
{{- end }}
657+
{{- end }}
658+
{{- end }}
561659

562660

563661
{{- /* Usage: {{ include "helm_lib_csi_controller_rbac" . }} */ -}}

charts/helm_lib/templates/_csi_node.tpl

Lines changed: 111 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ memory: 25Mi
3737
{{- $csiNodeHostNetwork := $config.csiNodeHostNetwork | default "true" }}
3838
{{- $csiNodeHostPID := $config.csiNodeHostPID | default "false" }}
3939
{{- $dnsPolicy := $config.dnsPolicy | default "ClusterFirstWithHostNet" }}
40+
{{- $securityPolicyExceptionEnabled := $config.securityPolicyExceptionEnabled | default false }}
4041
{{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }}
4142
{{- $driverRegistrarImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiNodeDriverRegistrar" $kubernetesSemVer) }}
4243
{{- if $driverRegistrarImage }}
@@ -91,6 +92,9 @@ spec:
9192
metadata:
9293
labels:
9394
app: {{ $fullname }}
95+
{{- if and $securityPolicyExceptionEnabled ($context.Values.global.enabledModules | has "admission-policy-engine-crd") }}
96+
security.deckhouse.io/security-policy-exception: {{ $fullname }}
97+
{{- end }}
9498
{{- if or (hasPrefix "cloud-provider-" $context.Chart.Name) ($additionalCsiNodePodAnnotations) }}
9599
annotations:
96100
{{- if hasPrefix "cloud-provider-" $context.Chart.Name }}
@@ -267,6 +271,112 @@ spec:
267271
{{- $additionalNodeVolumes | toYaml | nindent 6 }}
268272
{{- end }}
269273

270-
{{- end }}
274+
{{- if and $securityPolicyExceptionEnabled ($context.Values.global.enabledModules | has "admission-policy-engine-crd") }}
275+
---
276+
apiVersion: deckhouse.io/v1alpha1
277+
kind: SecurityPolicyException
278+
metadata:
279+
name: {{ $fullname }}
280+
namespace: d8-{{ $context.Chart.Name }}
281+
spec:
282+
securityContext:
283+
privileged:
284+
allowedValue: true
285+
metadata:
286+
description: |
287+
Allow privileged mode for CSI Node Driver.
288+
The CSI Node Driver requires privileged access to perform critical storage operations such as mounting/unmounting volumes, formatting block devices, and interacting directly with the host kernel for disk management.
289+
runAsNonRoot:
290+
allowedValue: false
291+
metadata:
292+
description: |
293+
Allow running as root for CSI Node Driver.
294+
The CSI Node Driver requires root access to perform privileged storage operations on the host, including device management and filesystem mounting.
295+
runAsUser:
296+
allowedValues:
297+
- 0
298+
metadata:
299+
description: |
300+
Allow running as root user (UID 0) for CSI Node Driver.
301+
The CSI Node Driver and node-driver-registrar require root privileges to perform storage operations, interact with host devices, and manage volume mounts.
302+
{{- if $setSysAdminCapability }}
303+
capabilities:
304+
allowedValues:
305+
add:
306+
- SYS_ADMIN
307+
metadata:
308+
description: |
309+
Allow SYS_ADMIN capability for CSI Node Driver.
310+
The CSI Node Driver requires SYS_ADMIN capability to perform privileged filesystem operations such as mounting, unmounting, and managing block devices on the host.
311+
{{- end }}
312+
313+
{{- if or (eq $csiNodeHostNetwork "true") (ne $csiNodeHostPID "false") }}
314+
network:
315+
{{- if eq $csiNodeHostNetwork "true" }}
316+
hostNetwork:
317+
allowedValue: true
318+
metadata:
319+
description: |
320+
Allow host network access for CSI Node Driver.
321+
The CSI Node Driver requires host network access to communicate with the CSI Controller, coordinate volume attachment operations, and synchronize storage metadata across the cluster.
271322
{{- end }}
323+
{{- if ne $csiNodeHostPID "false" }}
324+
hostPID:
325+
allowedValue: true
326+
metadata:
327+
description: |
328+
Allow host PID namespace access for CSI Node Driver.
329+
The CSI Node Driver requires host PID namespace access to interact with host processes for storage operations such as detecting mount points and managing device attachments.
330+
{{- end }}
331+
{{- end }}
332+
333+
volumes:
334+
types:
335+
allowedValues:
336+
- hostPath
337+
metadata:
338+
description: |
339+
Allow hostPath volume type for CSI Node.
340+
The CSI Node Driver requires hostPath volumes to access host filesystem paths for proper operation, including communication with the container runtime and access to block devices.
341+
hostPath:
342+
allowedValues:
343+
- path: /var/lib/kubelet/plugins_registry/
344+
readOnly: false
345+
metadata:
346+
description: |
347+
Allow access to the CSI plugin registry directory.
348+
CSI Node Driver registers itself in this directory to enable dynamic discovery and communication with the kubelet.
349+
- path: /var/lib/kubelet
350+
readOnly: false
351+
metadata:
352+
description: |
353+
Allow access to the kubelet root directory.
354+
Required for CSI Node Driver to manage volume mounts and access kubelet data structures.
355+
- path: /var/lib/kubelet/csi-plugins/{{ $driverFQDN }}/
356+
readOnly: false
357+
metadata:
358+
description: |
359+
Allow access to the CSI plugin directory.
360+
This directory contains the CSI driver socket and persistent data required for volume attachment and mounting operations.
361+
- path: /dev
362+
readOnly: false
363+
metadata:
364+
description: |
365+
Allow access to host device directory.
366+
CSI Node Driver requires access to /dev to manage block devices and perform disk operations for persistent volumes.
367+
{{- if $additionalNodeVolumes }}
368+
{{- range $vol := $additionalNodeVolumes }}
369+
{{- if $vol.hostPath }}
370+
- path: {{ $vol.hostPath.path }}
371+
readOnly: false
372+
metadata:
373+
description: |
374+
Allow access to additional hostPath volume at {{ $vol.hostPath.path }}.
375+
This additional hostPath volume is required by the CSI Node Driver for extended storage operations specific to the cloud provider implementation.
376+
{{- end }}
377+
{{- end }}
378+
{{- end }}
379+
{{- end }}
380+
{{- end }}
381+
{{- end }}
272382
{{- end }}

tests/tests/__snapshot__/helm_lib_kube_rbac_proxy_ca_certificate_test.yaml.snap

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ does not change document between test runs:
22
1: |
33
apiVersion: v1
44
data:
5-
ca.crt: |2
5+
ca.crt: |
66
cert
77
kind: ConfigMap
88
metadata:

0 commit comments

Comments
 (0)