helm: CSIDriver add labels and seLinuxMount disabling method

Signed-off-by: Ruslan Khizhnyak <rkhizhnyak@ptsecurity.com>
ceph · Mar 21, 2024 · d56c9ab · d56c9ab · Velociraptor85 · Mar 26, 2024
1 parent cd18490
commit d56c9ab
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 4 deletions.
diff --git a/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml b/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml
@@ -2,10 +2,16 @@ apiVersion: storage.k8s.io/v1
 kind: CSIDriver
 metadata:
   name: {{ .Values.driverName }}
+  labels:
+    app: {{ include "ceph-csi-cephfs.name" . }}
+    chart: {{ include "ceph-csi-cephfs.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
 spec:
   attachRequired: false
   podInfoOnMount: false
-  fsGroupPolicy: {{ default "File" .Values.CSIDriver.fsGroupPolicy }}
-{{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }}
+  fsGroupPolicy: {{ .Values.CSIDriver.fsGroupPolicy }}
+{{- if and (semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version) .Values.seLinuxMount }}
   seLinuxMount: true
 {{- end }}
diff --git a/charts/ceph-csi-cephfs/values.yaml b/charts/ceph-csi-cephfs/values.yaml
@@ -57,6 +57,7 @@ sidecarLogLevel: 1
 # accessModes contains ReadWriteOnce.
 CSIDriver:
   fsGroupPolicy: "File"
+  seLinuxMount: true
 
 nodeplugin:
   name: nodeplugin

diff --git a/charts/ceph-csi-rbd/templates/csidriver-crd.yaml b/charts/ceph-csi-rbd/templates/csidriver-crd.yaml
@@ -2,10 +2,16 @@ apiVersion: storage.k8s.io/v1
 kind: CSIDriver
 metadata:
   name: {{ .Values.driverName }}
+  labels:
+    app: {{ include "ceph-csi-rbd.name" . }}
+    chart: {{ include "ceph-csi-rbd.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
 spec:
   attachRequired: true
   podInfoOnMount: false
-  fsGroupPolicy: File
-{{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }}
+  fsGroupPolicy: {{ .Values.CSIDriver.fsGroupPolicy }}
+{{- if and (semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version) .Values.seLinuxMount }}
   seLinuxMount: true
 {{- end }}
diff --git a/charts/ceph-csi-rbd/values.yaml b/charts/ceph-csi-rbd/values.yaml
@@ -69,6 +69,24 @@ logLevel: 5
 # sidecarLogLevel is the variable for Kubernetes sidecar container's log level
 sidecarLogLevel: 1
 
+# Set fsGroupPolicy for CSI Driver object spec
+# https://kubernetes-csi.github.io/docs/support-fsgroup.html
+# The following modes are supported:
+# - None: Indicates that volumes will be mounted with no modifications, as the
+#   CSI volume driver does not support these operations.
+# - File: Indicates that the CSI volume driver supports volume ownership and
+#   permission change via fsGroup, and Kubernetes may use fsGroup to change
+#   permissions and ownership of the volume to match user requested fsGroup in
+#   the pod's SecurityPolicy regardless of fstype or access mode.
+# - ReadWriteOnceWithFSType: Indicates that volumes will be examined to
+#   determine if volume ownership and permissions should be modified to match
+#   the pod's security policy.
+# Changes will only occur if the fsType is defined and the persistent volume's
+# accessModes contains ReadWriteOnce.
+CSIDriver:
+  fsGroupPolicy: "File"
+  seLinuxMount: true
+
 nodeplugin:
   name: nodeplugin
   # set user created priorityclassName for csi plugin pods. default is