Skip to content

Grant helper pod only the priv it needs, explicitly set root bits #545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jcpunk wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Grant helper pod only the priv it needs, explicitly set root bits #545

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8b8299e
Grant helper pod only the priv it needs, explicitly set root bits
jcpunk Dec 29, 2025
9b8a34d
Set operator pod to match pss-restricted
jcpunk Jan 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions deploy/chart/local-path-provisioner/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ data:
{{- if .Values.configmap.helperPod.priorityClassName }}
priorityClassName: {{ .Values.configmap.helperPod.priorityClassName }}
{{- end }}
hostUsers: {{ .Values.configmap.helperPod.hostUsers }}
securityContext:
{{- toYaml .Values.configmap.helperPod.securityContext | nindent 8 }}
tolerations:
- key: node.kubernetes.io/disk-pressure
operator: Exists
Expand All @@ -66,3 +69,5 @@ data:
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{- toYaml .Values.helperPod.resources | nindent 12 }}
securityContext:
{{- toYaml .Values.configmap.helperPod.containerSecurityContext | nindent 12 }}
45 changes: 34 additions & 11 deletions deploy/chart/local-path-provisioner/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,20 +98,23 @@ nodePathMap:

podAnnotations: {}

podSecurityContext: {}
# runAsNonRoot: true
podSecurityContext:
runAsNonRoot: true

hostUsers: true

securityContext: {}
# allowPrivilegeEscalation: false
# seccompProfile:
# type: RuntimeDefault
# capabilities:
# drop: ["ALL"]
# runAsUser: 65534
# runAsGroup: 65534
# readOnlyRootFilesystem: true
# NOTE: launches a helper pod with hostPath volume
# thus namespace must permit PSS privileged.
# Last checked on kubernetes 1.35
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop: ["ALL"]
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true

resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
Expand Down Expand Up @@ -181,6 +184,26 @@ configmap:
tolerations: []
# Priority class name for the helper pod (defaults to system-node-critical)
priorityClassName: "system-node-critical"
# Should the users map to system IDs
hostUsers: true
# pod level security controls
securityContext:
runAsNonRoot: false
# container level security controls
containerSecurityContext:
allowPrivilegeEscalation: false
privileged: false
capabilities:
drop:
- ALL
add:
- DAC_OVERRIDE
readOnlyRootFilesystem: true
runAsGroup: 0
runAsUser: 0
seccompProfile:
type: RuntimeDefault

# Number of provisioner worker threads to call provision/delete simultaneously.
# workerThreads: 4

Expand Down