From 8b8299e45c7cd4b6e1496759d4c6e5e785e65f8f Mon Sep 17 00:00:00 2001 From: Pat Riehecky Date: Mon, 29 Dec 2025 12:13:46 -0600 Subject: [PATCH 1/2] Grant helper pod only the priv it needs, explicitly set root bits --- .../templates/configmap.yaml | 5 +++++ .../chart/local-path-provisioner/values.yaml | 20 +++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/deploy/chart/local-path-provisioner/templates/configmap.yaml b/deploy/chart/local-path-provisioner/templates/configmap.yaml index bc626e00..2ecc9d16 100644 --- a/deploy/chart/local-path-provisioner/templates/configmap.yaml +++ b/deploy/chart/local-path-provisioner/templates/configmap.yaml @@ -49,6 +49,9 @@ data: {{- if .Values.configmap.helperPod.priorityClassName }} priorityClassName: {{ .Values.configmap.helperPod.priorityClassName }} {{- end }} + hostUsers: {{ .Values.configmap.helperPod.hostUsers }} + securityContext: + {{- toYaml .Values.configmap.helperPod.securityContext | nindent 8 }} tolerations: - key: node.kubernetes.io/disk-pressure operator: Exists @@ -66,3 +69,5 @@ data: imagePullPolicy: {{ .Values.image.pullPolicy }} resources: {{- toYaml .Values.helperPod.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.configmap.helperPod.containerSecurityContext | nindent 12 }} diff --git a/deploy/chart/local-path-provisioner/values.yaml b/deploy/chart/local-path-provisioner/values.yaml index 4ed1064c..43dac018 100644 --- a/deploy/chart/local-path-provisioner/values.yaml +++ b/deploy/chart/local-path-provisioner/values.yaml @@ -181,6 +181,26 @@ configmap: tolerations: [] # Priority class name for the helper pod (defaults to system-node-critical) priorityClassName: "system-node-critical" + # Should the users map to system IDs + hostUsers: true + # pod level security controls + securityContext: + runAsNonRoot: false + # container level security controls + containerSecurityContext: + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + # Number of provisioner worker threads to call provision/delete simultaneously. # workerThreads: 4 From 9b8a34d3c4234794ecb44dfc128c7d64fab4a22d Mon Sep 17 00:00:00 2001 From: Pat Riehecky Date: Tue, 6 Jan 2026 12:20:23 -0600 Subject: [PATCH 2/2] Set operator pod to match pss-restricted --- .../chart/local-path-provisioner/values.yaml | 25 +++++++++++-------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/deploy/chart/local-path-provisioner/values.yaml b/deploy/chart/local-path-provisioner/values.yaml index 43dac018..f09f3518 100644 --- a/deploy/chart/local-path-provisioner/values.yaml +++ b/deploy/chart/local-path-provisioner/values.yaml @@ -98,20 +98,23 @@ nodePathMap: podAnnotations: {} -podSecurityContext: {} - # runAsNonRoot: true +podSecurityContext: + runAsNonRoot: true hostUsers: true -securityContext: {} - # allowPrivilegeEscalation: false - # seccompProfile: - # type: RuntimeDefault - # capabilities: - # drop: ["ALL"] - # runAsUser: 65534 - # runAsGroup: 65534 - # readOnlyRootFilesystem: true +# NOTE: launches a helper pod with hostPath volume +# thus namespace must permit PSS privileged. +# Last checked on kubernetes 1.35 +securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] + runAsUser: 65534 + runAsGroup: 65534 + readOnlyRootFilesystem: true resources: {} # We usually recommend not to specify default resources and to leave this as a conscious