From 4517736a87287bc864aa3a1f753aaa18c7b708c2 Mon Sep 17 00:00:00 2001 From: Engin Diri Date: Mon, 9 Dec 2024 19:20:47 +0100 Subject: [PATCH] fix: add securitycontext (#17) --- chart/pulumi-esc-csi-provider/Chart.yaml | 2 +- chart/pulumi-esc-csi-provider/README.md | 4 ++-- .../pulumi-esc-csi-provider/templates/daemonset.yaml | 4 +++- deployment/pulumi-esc-csi-provider.yaml | 12 ++++++++---- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/chart/pulumi-esc-csi-provider/Chart.yaml b/chart/pulumi-esc-csi-provider/Chart.yaml index 41695f3..ff261c0 100644 --- a/chart/pulumi-esc-csi-provider/Chart.yaml +++ b/chart/pulumi-esc-csi-provider/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart for the Pulumi ESC CSI provider type: application -version: 0.1.3 +version: 0.1.4 appVersion: "0.1.0" maintainers: diff --git a/chart/pulumi-esc-csi-provider/README.md b/chart/pulumi-esc-csi-provider/README.md index 575258d..99bbf13 100644 --- a/chart/pulumi-esc-csi-provider/README.md +++ b/chart/pulumi-esc-csi-provider/README.md @@ -1,6 +1,6 @@ # Pulumi ESC Secret Store CSI Driver - Helm Chart -![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=for-the-badge) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=for-the-badge) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=for-the-badge) +![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=for-the-badge) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=for-the-badge) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=for-the-badge) ## Description 📜 @@ -11,7 +11,7 @@ A Helm chart for the Pulumi ESC CSI provider To install the chart using the OCI artifact, run: ```bash -helm install pulumi-esc-csi-provider oci://ghcr.io/dirien/charts/pulumi-esc-csi-provider --version 0.1.3 --namespace kube-system +helm install pulumi-esc-csi-provider oci://ghcr.io/dirien/charts/pulumi-esc-csi-provider --version 0.1.4 --namespace kube-system ``` After a few seconds, the `pulumi-esc-csi-provider` should be running. diff --git a/chart/pulumi-esc-csi-provider/templates/daemonset.yaml b/chart/pulumi-esc-csi-provider/templates/daemonset.yaml index 0720d48..cb17e04 100644 --- a/chart/pulumi-esc-csi-provider/templates/daemonset.yaml +++ b/chart/pulumi-esc-csi-provider/templates/daemonset.yaml @@ -76,7 +76,9 @@ spec: {{- toYaml . | nindent 6 }} {{- end }} serviceAccountName: {{ .Values.serviceAccount.name }} - securityContext: {} + securityContext: + runAsUser: 0 + fsGroup: 0 containers: - name: {{ .Values.name }} image: {{ printf "%s:%s" .Values.image.repository (default (printf "%s" .Chart.AppVersion) .Values.image.tag) }} diff --git a/deployment/pulumi-esc-csi-provider.yaml b/deployment/pulumi-esc-csi-provider.yaml index 18f23e1..9b28e31 100644 --- a/deployment/pulumi-esc-csi-provider.yaml +++ b/deployment/pulumi-esc-csi-provider.yaml @@ -62,18 +62,22 @@ spec: app.kubernetes.io/instance: secrets-store-csi-driver-provider-pulumi-esc app.kubernetes.io/version: "0.4.2" spec: - serviceAccountName: secrets-store-csi-driver-provider-pulumi-esc securityContext: - {} + runAsUser: 0 + fsGroup: 0 + serviceAccountName: secrets-store-csi-driver-provider-pulumi-esc + containers: - name: secrets-store-csi-driver-provider-pulumi-esc - image: "dirien/secrets-store-csi-driver-provider-pulumi-esc" + image: "ghcr.io/dirien/pulumi-esc-csi-provider:0.1.0" imagePullPolicy: Always resources: {} + args: + - "-endpoint=/provider/pulumi.sock" volumeMounts: - name: socket - mountPath: /etc/kubernetes/secrets-store-csi-providers + mountPath: /provider volumes: - name: socket hostPath: