charts: add allowPrivilegeEscalation: true to containerSecurityContext to nodeplugin daemonset

[losil]

Describe what this PR does

When running the kubernetes cluster with one single privileged PodSecurityPolicy which is allowing everything the nodeplugin daemonset can fail to start. To be precise the problem is the defaultAllowPrivilegeEscalation: false configuration in the PSP. Containers of the nodeplugin daemonset won't start when they have privileged: true but no allowPrivilegeEscalation in their container securityContext.

Kubernetes will not schedule if this mismatch exists cannot set allowPrivilegeEscalation to false and privileged to true:

[Warning  FailedCreate  7s (x3 over 14s)  daemonset-controller  (combined from similar events): Error creating: Pod "ceph-csi-nodeplugin-rbd-7qm9f" is invalid: [spec.containers[0].securityContext: Invalid value: core.SecurityContext{Capabilities:(*core.Capabilities)(nil), Privileged:(*bool)(0xc04f579a0c), SELinuxOptions:(*core.SELinuxOptions)(nil), WindowsOptions:(*core.WindowsSecurityContextOptions)(nil), RunAsUser:(*int64)(nil), RunAsGroup:(*int64)(nil), RunAsNonRoot:(*bool)(nil), ReadOnlyRootFilesystem:(*bool)(nil), AllowPrivilegeEscalation:(*bool)(0xc04d20ce50), ProcMount:(*core.ProcMountType)(nil), SeccompProfile:(*core.SeccompProfile)(nil)}: cannot set `allowPrivilegeEscalation` to false and `privileged` to true, spec.containers[2].securityContext: Invalid value: core.SecurityContext{Capabilities:(*core.Capabilities)(nil), Privileged:(*bool)(0xc04f579a0f), SELinuxOptions:(*core.SELinuxOptions)(nil), WindowsOptions:(*core.WindowsSecurityContextOptions)(nil), RunAsUser:(*int64)(nil), RunAsGroup:(*int64)(nil), RunAsNonRoot:(*bool)(nil), ReadOnlyRootFilesystem:(*bool)(nil), AllowPrivilegeEscalation:(*bool)(0xc04d20ce50), ProcMount:(*core.ProcMountType)(nil), SeccompProfile:(*core.SeccompProfile)(nil)}: cannot set `allowPrivilegeEscalation` to false and `privileged` to true]]()

The default PodSecurityPolicy for every workload in the k8s cluster is the following:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  name: system-unrestricted-psp
spec:
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  defaultAllowPrivilegeEscalation: false
  fsGroup:
    rule: RunAsAny
  hostIPC: true
  hostNetwork: true
  hostPID: true
  hostPorts:
  - max: 65535
    min: 0
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'

The daemonsets run when the allowPrivilegeEscalation parameter is added to the container securityContext config. In detail this is needed for the containers:

• driver-registrar
• liveness-prometheus

Updating the helm chart templates for ceph-csi-rbd and ceph-csi-cephfssolve the problem when using defaultAllowPrivilegeEscalation: true in global privileged PodSecurityPolicy. For example:

{{- if .Values.nodeplugin.httpMetrics.enabled }}
        - name: liveness-prometheus
          securityContext:
            privileged: true
            allowPrivilegeEscalation: true
          image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}"

Is there anything that requires special attention

Do you have any questions? No

Is the change backward compatible? Yes

Are there concerns around backward compatibility? No

Provide any external context for the change, if any.

For example:

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

Related issues

Mention any github issues relevant to this PR. Adding below line
will help to auto close the issue once the PR is merged.

None

Future concerns

List items that are not part of the PR and do not impact it's
functionality, but are work items that can be taken up subsequently.

None

---

Show available bot commands

These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:

• /retest ci/centos/<job-name>: retest the <job-name> after unrelated
  failure (please report the failure too!)
• /retest all: run this in case the CentOS CI failed to start/report any test
  progress or results

[yati1998]

@losil please check the DCO failure. We have specific guidelines for the commit messages.

[humblec]

@losil as you know PSP ( PodSecurityPolicy) is getting deprecated in upstream. Regardless we could have this in chart 👍

[losil]

@losil as you know PSP ( PodSecurityPolicy) is getting deprecated in upstream. Regardless we could have this in chart 👍

@humblec of course I am aware of the PSPs deprecation and honestly look forward to getting rid of them.
But since we are still running our clusters with k8s 1.21.10 we still rely on the PSPs.

[humblec]

Yeah , please correct the commit lint error @losil .. it should be good to go..

[Madhu-1]

@losil Please check https://github.com/ceph/ceph-csi/blob/devel/docs/development-guide.md#commit-messages standard followed for commit message.

it should be something like below

helm: allowPrivilegeEscalation: true in containerSecurityContext

When running the kubernetes cluster with one single privileged 
PodSecurityPolicy which is allowing everything the nodeplugin 
daemonset can fail to start. To be precise the problem is the 
defaultAllowPrivilegeEscalation: false configuration in the PSP.
 Containers of the nodeplugin daemonset won't start when they 
have privileged: true but no allowPrivilegeEscalation in their c
ontainer securityContext.

Kubernetes will not schedule if this mismatch exists cannot set 
allowPrivilegeEscalation to false and privileged to true:

Signed-off-by: Silvan Loser <[email protected]>

[losil]

@losil Please check https://github.com/ceph/ceph-csi/blob/devel/docs/development-guide.md#commit-messages standard followed for commit message.

it should be something like below

helm: allowPrivilegeEscalation: true in containerSecurityContext

When running the kubernetes cluster with one single privileged 
PodSecurityPolicy which is allowing everything the nodeplugin 
daemonset can fail to start. To be precise the problem is the 
defaultAllowPrivilegeEscalation: false configuration in the PSP.
 Containers of the nodeplugin daemonset won't start when they 
have privileged: true but no allowPrivilegeEscalation in their c
ontainer securityContext.

Kubernetes will not schedule if this mismatch exists cannot set 
allowPrivilegeEscalation to false and privileged to true:

Signed-off-by: Silvan Loser <[email protected]>

Thanks for the hint!

[humblec]

/retest ci/centos/k8s-e2e-external-storage/1.21

[humblec]

/retest ci/centos/mini-e2e-helm/k8s-1.21

[humblec]

@Mergifyio rebase

[mergify]

rebase

✅ Branch has been successfully rebased

[humblec]

@Mergifyio rebase

[humblec]

@Mergifyio refresh

[mergify]

rebase

✅ Branch has been successfully rebased

[mergify]

refresh

✅ Pull request refreshed

[Madhu-1]

@losil Sorry for the late review on this one.

Same changes are required in the below files

deploy/cephfs/kubernetes/csi-cephfsplugin.yaml
deploy/rbd/kubernetes/csi-rbdplugin.yaml

Pull request has been modified.

[Madhu-1]

@losil can you please change Signed-off-by: Silvan Loser <[email protected]> to Signed-off-by: Silvan Loser <[email protected]> in your 2nd commit?

Pull request has been modified.

[ceph-csi-bot]

@losil "ci/centos/mini-e2e-helm/k8s-1.23" test failed. Logs are available at location for debugging

[ceph-csi-bot]

/retest ci/centos/mini-e2e/k8s-1.23

[ceph-csi-bot]

@losil "ci/centos/mini-e2e/k8s-1.23" test failed. Logs are available at location for debugging

[ceph-csi-bot]

@Mergifyio requeue

[mergify]

requeue

✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically

[ceph-csi-bot]

/retest ci/centos/mini-e2e-helm/k8s-1.21

[ceph-csi-bot]

@losil "ci/centos/mini-e2e-helm/k8s-1.21" test failed. Logs are available at location for debugging

[ceph-csi-bot]

/retest ci/centos/k8s-e2e-external-storage/1.22

[ceph-csi-bot]

@losil "ci/centos/k8s-e2e-external-storage/1.22" test failed. Logs are available at location for debugging

[ceph-csi-bot]

@Mergifyio requeue

[mergify]

requeue

☑️ This pull request is already queued

[ceph-csi-bot]

/retest ci/centos/mini-e2e-helm/k8s-1.21

[ceph-csi-bot]

@losil "ci/centos/mini-e2e-helm/k8s-1.21" test failed. Logs are available at location for debugging

[ceph-csi-bot]

/retest ci/centos/mini-e2e-helm/k8s-1.22

[ceph-csi-bot]

@losil "ci/centos/mini-e2e-helm/k8s-1.22" test failed. Logs are available at location for debugging

[ceph-csi-bot]

@Mergifyio requeue

[mergify]

requeue

☑️ This pull request is already queued

[ceph-csi-bot]

/retest ci/centos/mini-e2e-helm/k8s-1.22

[ceph-csi-bot]

@losil "ci/centos/mini-e2e-helm/k8s-1.22" test failed. Logs are available at location for debugging

[ceph-csi-bot]

@Mergifyio requeue

[mergify]

requeue

☑️ This pull request is already queued

[ceph-csi-bot]

/retest ci/centos/mini-e2e-helm/k8s-1.22

[ceph-csi-bot]

@losil "ci/centos/mini-e2e-helm/k8s-1.22" test failed. Logs are available at location for debugging

[ceph-csi-bot]

@Mergifyio requeue

[mergify]

requeue

☑️ This pull request is already queued

[Madhu-1]

@Mergifyio refresh

[mergify]

refresh

✅ Pull request refreshed