Set seccomp profile to RuntimeDefault for csi-driver-node (#524)

gardener · Aug 29, 2022 · f054477 · f054477
1 parent 281cca7
commit f054477
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/...s/internal/shoot-system-components/charts/csi-alicloud/templates/auth/csi-plugin-psp.yaml b/...s/internal/shoot-system-components/charts/csi-alicloud/templates/auth/csi-plugin-psp.yaml
@@ -2,6 +2,9 @@
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
   name: {{ include "csi-disk-plugin.extensionsGroup" . }}.kube-system.csi-disk-plugin-alicloud
 spec:
   privileged: true

diff --git a/charts/internal/shoot-system-components/charts/csi-alicloud/templates/csi-diskplugin-ds.yaml b/charts/internal/shoot-system-components/charts/csi-alicloud/templates/csi-diskplugin-ds.yaml
@@ -27,6 +27,11 @@ spec:
           operator: Exists
         - effect: NoExecute
           operator: Exists
+      {{- if semverCompare ">= 1.19" .Capabilities.KubeVersion.GitVersion }}
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      {{- end }}
       containers:
       - name: driver-registrar
         image: {{ index .Values.images "csi-node-driver-registrar" }}