From b50d8596ea78a93942f5334699f34133715beb93 Mon Sep 17 00:00:00 2001
From: Silvan Loser <33911078+losil@users.noreply.github.com>
Date: Tue, 12 Apr 2022 07:45:44 +0200
Subject: [PATCH] deploy: allowPrivilegeEscalation: true in
 containerSecurityContext

When running the kubernetes cluster with one single privileged
PodSecurityPolicy which is allowing everything the nodeplugin
daemonset can fail to start. To be precise the problem is the
defaultAllowPrivilegeEscalation: false configuration in the PSP.
 Containers of the nodeplugin daemonset won't start when they
have privileged: true but no allowPrivilegeEscalation in their
container securityContext.

Kubernetes will not schedule if this mismatch exists cannot set
allowPrivilegeEscalation to false and privileged to true:

Signed-off-by: Silvan Loser <silvan.loser@hotmail.ch>
Signed-off-by: Silvan Loser <33911078+losil@users.noreply.github.com>
(cherry picked from commit f2e0fa28fb1a05f4091c666c7648c69b5c1037e2)
---
 deploy/cephfs/kubernetes/csi-cephfsplugin.yaml | 2 ++
 deploy/rbd/kubernetes/csi-rbdplugin.yaml       | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml b/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml
index 64508b8fa..96d943a3e 100644
--- a/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml
+++ b/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml
@@ -26,6 +26,7 @@ spec:
           # created by privileged CSI driver container.
           securityContext:
             privileged: true
+            allowPrivilegeEscalation: true
           image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.4.0
           args:
             - "--v=5"
@@ -106,6 +107,7 @@ spec:
         - name: liveness-prometheus
           securityContext:
             privileged: true
+            allowPrivilegeEscalation: true
           image: quay.io/cephcsi/cephcsi:v3.6-canary
           args:
             - "--type=liveness"
diff --git a/deploy/rbd/kubernetes/csi-rbdplugin.yaml b/deploy/rbd/kubernetes/csi-rbdplugin.yaml
index a5687c713..e41fd5905 100644
--- a/deploy/rbd/kubernetes/csi-rbdplugin.yaml
+++ b/deploy/rbd/kubernetes/csi-rbdplugin.yaml
@@ -28,6 +28,7 @@ spec:
           # created by privileged CSI driver container.
           securityContext:
             privileged: true
+            allowPrivilegeEscalation: true
           image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.4.0
           args:
             - "--v=5"
@@ -124,6 +125,7 @@ spec:
         - name: liveness-prometheus
           securityContext:
             privileged: true
+            allowPrivilegeEscalation: true
           image: quay.io/cephcsi/cephcsi:v3.6-canary
           args:
             - "--type=liveness"