From 660aecdb38057f5434610eb3a3ba43c37c514659 Mon Sep 17 00:00:00 2001 From: Behnam Shobiri Date: Fri, 8 May 2026 15:13:14 -0400 Subject: [PATCH 1/2] harden moutned path --- pkg/render/csi.go | 7 ++++--- pkg/render/csi_test.go | 37 +++++++++++++++++++++++++++++++++++-- 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/pkg/render/csi.go b/pkg/render/csi.go index 83662c481c..53c85a73ed 100644 --- a/pkg/render/csi.go +++ b/pkg/render/csi.go @@ -171,7 +171,7 @@ func (c *csiComponent) csiContainers() []corev1.Container { VolumeMounts: []corev1.VolumeMount{ { Name: "varrun", - MountPath: filepath.Clean("/var/run"), + MountPath: filepath.Clean("/var/run/nodeagent"), }, { Name: "socket-dir", @@ -216,7 +216,7 @@ func (c *csiComponent) csiContainers() []corev1.Container { }, }, }, - SecurityContext: securitycontext.NewRootContext(true), + SecurityContext: securitycontext.NewRootContext(false), VolumeMounts: []corev1.VolumeMount{ { Name: "socket-dir", @@ -243,7 +243,8 @@ func (c *csiComponent) csiVolumes() []corev1.Volume { Name: "varrun", VolumeSource: corev1.VolumeSource{ HostPath: &corev1.HostPathVolumeSource{ - Path: filepath.Clean("/var/run"), + Path: filepath.Clean("/var/run/nodeagent"), + Type: &hostPathTypeDirOrCreate, }, }, }, diff --git a/pkg/render/csi_test.go b/pkg/render/csi_test.go index 7a3ee3749c..a41a34f265 100644 --- a/pkg/render/csi_test.go +++ b/pkg/render/csi_test.go @@ -88,8 +88,8 @@ var _ = Describe("CSI rendering tests", func() { Type: corev1.SeccompProfileTypeRuntimeDefault, })) - Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.AllowPrivilegeEscalation).To(BeTrue()) - Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.Privileged).To(BeTrue()) + Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.AllowPrivilegeEscalation).To(BeFalse()) + Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.Privileged).To(BeFalse()) Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.RunAsGroup).To(BeEquivalentTo(0)) Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.RunAsNonRoot).To(BeFalse()) Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.RunAsUser).To(BeEquivalentTo(0)) @@ -103,6 +103,39 @@ var _ = Describe("CSI rendering tests", func() { Type: corev1.SeccompProfileTypeRuntimeDefault, })) Expect(ds.Spec.Template.Spec.ServiceAccountName).To(Equal(render.CSIDaemonSetName)) + + // The varrun host-path mount must be narrowed to /var/run/nodeagent so + // the calico-csi container cannot reach the container runtime socket + // (e.g. /var/run/containerd/containerd.sock) on the node. + var varrunMount *corev1.VolumeMount + for i := range ds.Spec.Template.Spec.Containers[0].VolumeMounts { + vm := &ds.Spec.Template.Spec.Containers[0].VolumeMounts[i] + if vm.Name == "varrun" { + varrunMount = vm + break + } + } + Expect(varrunMount).NotTo(BeNil()) + Expect(varrunMount.MountPath).To(Equal("/var/run/nodeagent")) + + var varrunVol *corev1.Volume + for i := range ds.Spec.Template.Spec.Volumes { + v := &ds.Spec.Template.Spec.Volumes[i] + if v.Name == "varrun" { + varrunVol = v + break + } + } + Expect(varrunVol).NotTo(BeNil()) + Expect(varrunVol.HostPath).NotTo(BeNil()) + Expect(varrunVol.HostPath.Path).To(Equal("/var/run/nodeagent")) + Expect(varrunVol.HostPath.Type).NotTo(BeNil()) + Expect(*varrunVol.HostPath.Type).To(Equal(corev1.HostPathDirectoryOrCreate)) + + // The csi-node-driver-registrar container must not mount varrun at all. + for _, vm := range ds.Spec.Template.Spec.Containers[1].VolumeMounts { + Expect(vm.Name).NotTo(Equal("varrun")) + } }) It("should render properly when KubeletVolumePluginPath is set to 'None'", func() { From f0dd54e84a2c3d41a54fd053ac5425cb1b999d31 Mon Sep 17 00:00:00 2001 From: Behnam Shobiri Date: Fri, 8 May 2026 15:49:54 -0400 Subject: [PATCH 2/2] minor fix --- pkg/render/csi.go | 4 +++- pkg/render/csi_test.go | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/pkg/render/csi.go b/pkg/render/csi.go index 53c85a73ed..3b10cd3d7a 100644 --- a/pkg/render/csi.go +++ b/pkg/render/csi.go @@ -216,7 +216,9 @@ func (c *csiComponent) csiContainers() []corev1.Container { }, }, }, - SecurityContext: securitycontext.NewRootContext(false), + // Privileged is required here for SELinux compat on OpenShift/RHEL: a non-privileged registrar + // (container_t) cannot connect to the UDS created by the privileged calico-csi container (spc_t). + SecurityContext: securitycontext.NewRootContext(true), VolumeMounts: []corev1.VolumeMount{ { Name: "socket-dir", diff --git a/pkg/render/csi_test.go b/pkg/render/csi_test.go index a41a34f265..69119f5076 100644 --- a/pkg/render/csi_test.go +++ b/pkg/render/csi_test.go @@ -88,8 +88,8 @@ var _ = Describe("CSI rendering tests", func() { Type: corev1.SeccompProfileTypeRuntimeDefault, })) - Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.AllowPrivilegeEscalation).To(BeFalse()) - Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.Privileged).To(BeFalse()) + Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.AllowPrivilegeEscalation).To(BeTrue()) + Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.Privileged).To(BeTrue()) Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.RunAsGroup).To(BeEquivalentTo(0)) Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.RunAsNonRoot).To(BeFalse()) Expect(*ds.Spec.Template.Spec.Containers[1].SecurityContext.RunAsUser).To(BeEquivalentTo(0))