Limit Ceph Provisioner Container Security Contexts

Wherever possible, the ceph-provisioner containers need to run with the least amount of privilege required. In some cases there are privileges granted but are not needed. This patchset modifies those container's security contexts to reduce them to only what is needed. Change-Id: I74bd31df4af5cacc26834e645b0816bf285e8428
2021-07-28 14:49:18 +00:00 · 2021-07-28 14:49:18 +00:00 · 6e794561ac
commit 6e794561ac
parent bf5f545c1c
3 changed files with 9 additions and 5 deletions
--- a/ceph-provisioners/Chart.yaml
+++ b/ceph-provisioners/Chart.yaml
@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ceph Provisioner
 name: ceph-provisioners
-version: 0.1.10
+version: 0.1.11
 home: https://github.com/ceph/ceph
 ...
--- a/ceph-provisioners/values.yaml
+++ b/ceph-provisioners/values.yaml
@ -86,11 +86,14 @@ pod:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
        ceph_rbd_snapshotter:
-          privileged: true
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
        ceph_rbd_attacher:
-          privileged: true
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
        ceph_rbd_resizer:
-          privileged: true
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
        ceph_rbd_cephcsi:
          privileged: true
          capabilities:
--- a/releasenotes/notes/ceph-provisioners.yaml
+++ b/releasenotes/notes/ceph-provisioners.yaml
@ -9,5 +9,6 @@ ceph-provisioners:
  - 0.1.6 Update ceph_mon config as per new ceph clients
  - 0.1.7 Use full image ref for docker official images
  - 0.1.8 Enable Ceph CSI Provisioner to Stand Alone
-  - 0.1.10  Add check for empty ceph endpoint
+  - 0.1.10 Add check for empty ceph endpoint
+  - 0.1.11 Limit Ceph Provisioner Container Security Contexts
 ...