feat(chart): make pod and sidecar securityContext configurable#672
feat(chart): make pod and sidecar securityContext configurable#672yugstar wants to merge 2 commits into
Conversation
The csi-driver DaemonSet hardcoded the pod-level and per-container securityContext, including privileged: true and runAsUser: 0 on the cert-manager-csi-driver container. Operators with Pod Security Standards or compliance requirements could not adjust the security posture without forking the chart (cert-manager#583). Move the securityContext blocks into values.yaml: - podSecurityContext (pod-level) - securityContext (cert-manager-csi-driver) - nodeDriverRegistrarSecurityContext (node-driver-registrar) - livenessProbeSecurityContext (liveness-probe) Each default reproduces the previously hardcoded value exactly, so the rendered DaemonSet is unchanged. The cert-manager-csi-driver container keeps privileged: true by default because it mounts pods-mount-dir and csi-data-dir with mountPropagation: Bidirectional, which Kubernetes only permits for privileged containers. Operators may now opt into a hardened context at their own discretion. Regenerated values.schema.json and README.md, and added helm-unittest coverage for the defaults and overrides. Refs cert-manager#583 Signed-off-by: Aman Raj <aman.yug@gmail.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @yugstar. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Hi @yugstar — same comment I just left on the companion PR cert-manager/csi-driver-spiffe#538, since this PR shares the same driver model. Before reviewing the chart changes I empirically tested whether the driver actually functions with The short version: every variant of I also could not find a legitimate operator use case for the other knobs (podSecurityContext, sidecar fields, per-container
I think the right outcome is to close this PR and address #583 with either (1) documentation in the chart README of why Happy to be shown wrong if you have an operator scenario the table in the issue comment does not cover. Edit — walking back the secondary point above I overstated the case when I said I "could not find a legitimate operator use case" for
So the narrower recommendation: keep Apologies for the overshoot in the previous comment. |
Following @wallrj-cyberark's empirical testing in cert-manager#583, the cert-manager-csi-driver container must run privileged: it mounts pods-mount-dir and csi-data-dir with mountPropagation: Bidirectional, which Kubernetes only permits for privileged containers. Exposing its securityContext let operators set privileged: false to satisfy a scanner and silently break the driver, so keep it hardcoded with an explanatory comment. Keep the pod-level securityContext and the two sidecar securityContext knobs (node-driver-registrar, liveness-probe), which are legitimate operator customisation points matching the cert-manager/trust-manager#836 precedent. Signed-off-by: Aman Raj <aman.yug@gmail.com>
|
Same trim applied here as on the companion cert-manager/csi-driver-spiffe#538, per your review on #583. Dropped the main-container |
What
Makes the csi-driver DaemonSet's pod- and container-level
securityContextconfigurable throughvalues.yaml, instead of hardcoding it in the template. Addresses #583.New values (each defaults to the value that was previously hardcoded):
podSecurityContextsecurityContextcert-manager-csi-drivernodeDriverRegistrarSecurityContextnode-driver-registrarlivenessProbeSecurityContextliveness-probeWhy
Today
templates/daemonset.yamlhardcodesprivileged: trueandrunAsUser: 0on the main container (andrunAsUser: 0on both sidecars), with no.Values.*overrides. Operators subject to Pod Security Standards (Baseline/Restricted) or security-scanning policies cannot adjust the posture without forking the chart — exactly the problem reported in #583.This mirrors the convention already used in the main
cert-managerchart, which exposessecurityContext/containerSecurityContextas values with behavior-preserving defaults.What changes by default
Nothing. Every new value defaults to the exact value that was previously hardcoded, so
helm templateoutput is semantically identical (verified by parsing the before/after manifests and asserting deep-equality, plus a helm-unittest golden suite). Mounting is unaffected: thepods-mount-dir/csi-data-dirmounts and theirmountPropagation: "Bidirectional"are untouched, and the main container keepsprivileged: trueby default.What becomes possible (opt-in)
Operators can now override any field, for example:
A note on dropping
privileged(re: the discussion in #583)The issue discussion suggests
privileged: truecould simply be removed. I deliberately kept it as the default here: thecert-manager-csi-drivercontainer mountspods-mount-dirandcsi-data-dirwithmountPropagation: Bidirectional, and Kubernetes only permits Bidirectional mount propagation on privileged containers — so removingprivilegedoutright would stop the driver pods from starting. Keeping the default unchanged makes this a pure, zero-risk configurability change, while still letting operators who have validated an alternative (e.g.CAP_SYS_ADMINwith adjusted propagation) opt into it. Flipping the default to non-privileged is a behavioral change that's best evaluated separately, with mount validation on a real cluster.Testing
helm templatebefore/after manifests are semantically identical (default render unchanged).make verify-helm-unittest— newtests/securitycontext_test.yaml(defaults preserved + opt-in overrides + null-clears-block).make verify-helm-values,make verify-helm-lint,make verify-helm-kubeconform,make verify-pod-security-standardsall pass.values.schema.jsonandREADME.mdregenerated viamake generate-helm-schema generate-helm-docs.Open question
I named the per-container values
securityContext/nodeDriverRegistrarSecurityContext/livenessProbeSecurityContext. If maintainers prefer a different layout (e.g. nesting them under a single map), that's a trivial rename and the default render stays identical — happy to adjust.