From 059969b10bc5291d6471e5485e92f0d03ad98579 Mon Sep 17 00:00:00 2001
From: Silvan Loser <33911078+losil@users.noreply.github.com>
Date: Wed, 6 Apr 2022 07:16:28 +0200
Subject: [PATCH] helm: allowPrivilegeEscalation: true in
 containerSecurityContext

When running the kubernetes cluster with one single privileged
PodSecurityPolicy which is allowing everything the nodeplugin
daemonset can fail to start. To be precise the problem is the
defaultAllowPrivilegeEscalation: false configuration in the PSP.
 Containers of the nodeplugin daemonset won't start when they
have privileged: true but no allowPrivilegeEscalation in their
container securityContext.

Kubernetes will not schedule if this mismatch exists cannot set
allowPrivilegeEscalation to false and privileged to true

Signed-off-by: Silvan Loser <silvan.loser@hotmail.ch>
Signed-off-by: Silvan Loser <33911078+losil@users.noreply.github.com>
(cherry picked from commit 06c4477ff9fce02c49439d800f36cce82319f805)
---
 charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml | 2 ++
 charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml    | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml
index 58e61e93d..0b997a16b 100644
--- a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml
+++ b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml
@@ -42,6 +42,7 @@ spec:
           # created by privileged CSI driver container.
           securityContext:
             privileged: true
+            allowPrivilegeEscalation: true
           image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}"
           imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }}
           args:
@@ -135,6 +136,7 @@ spec:
         - name: liveness-prometheus
           securityContext:
             privileged: true
+            allowPrivilegeEscalation: true
           image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}"
           imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }}
           args:
diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml
index 120d9627c..decd6e78c 100644
--- a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml
+++ b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml
@@ -42,6 +42,7 @@ spec:
           # created by privileged CSI driver container.
           securityContext:
             privileged: true
+            allowPrivilegeEscalation: true
           image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}"
           imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }}
           args:
@@ -142,6 +143,7 @@ spec:
         - name: liveness-prometheus
           securityContext:
             privileged: true
+            allowPrivilegeEscalation: true
           image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}"
           imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }}
           args: