From eb50d48354ed71a31f81cb7641108924225e5517 Mon Sep 17 00:00:00 2001
From: Grant Griffiths <grant@portworx.com>
Date: Wed, 4 Dec 2019 18:56:18 -0800
Subject: [PATCH] Run all 1.17 containers as privileged

Signed-off-by: Grant Griffiths <grant@portworx.com>
---
 deploy/kubernetes-1.17/hostpath/csi-hostpath-attacher.yaml   | 5 +++++
 deploy/kubernetes-1.17/hostpath/csi-hostpath-plugin.yaml     | 4 +++-
 .../kubernetes-1.17/hostpath/csi-hostpath-provisioner.yaml   | 5 +++++
 deploy/kubernetes-1.17/hostpath/csi-hostpath-resizer.yaml    | 5 +++++
 .../kubernetes-1.17/hostpath/csi-hostpath-snapshotter.yaml   | 5 +++++
 deploy/kubernetes-1.17/hostpath/csi-hostpath-testing.yaml    | 5 +++++
 6 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/deploy/kubernetes-1.17/hostpath/csi-hostpath-attacher.yaml b/deploy/kubernetes-1.17/hostpath/csi-hostpath-attacher.yaml
index 823763a91..295540cc5 100644
--- a/deploy/kubernetes-1.17/hostpath/csi-hostpath-attacher.yaml
+++ b/deploy/kubernetes-1.17/hostpath/csi-hostpath-attacher.yaml
@@ -44,6 +44,11 @@ spec:
           args:
             - --v=5
             - --csi-address=/csi/csi.sock
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
           volumeMounts:
           - mountPath: /csi
             name: socket-dir
diff --git a/deploy/kubernetes-1.17/hostpath/csi-hostpath-plugin.yaml b/deploy/kubernetes-1.17/hostpath/csi-hostpath-plugin.yaml
index 2d54b74e8..52e06069d 100644
--- a/deploy/kubernetes-1.17/hostpath/csi-hostpath-plugin.yaml
+++ b/deploy/kubernetes-1.17/hostpath/csi-hostpath-plugin.yaml
@@ -34,7 +34,6 @@ spec:
       labels:
         app: csi-hostpathplugin
     spec:
-      hostNetwork: true
       containers:
         - name: node-driver-registrar
           image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0
@@ -47,6 +46,9 @@ spec:
             - --csi-address=/csi/csi.sock
             - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-hostpath/csi.sock
           securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
             privileged: true
           env:
             - name: KUBE_NODE_NAME
diff --git a/deploy/kubernetes-1.17/hostpath/csi-hostpath-provisioner.yaml b/deploy/kubernetes-1.17/hostpath/csi-hostpath-provisioner.yaml
index 85904dfb1..fc92ae824 100644
--- a/deploy/kubernetes-1.17/hostpath/csi-hostpath-provisioner.yaml
+++ b/deploy/kubernetes-1.17/hostpath/csi-hostpath-provisioner.yaml
@@ -45,6 +45,11 @@ spec:
             - -v=5
             - --csi-address=/csi/csi.sock
             - --feature-gates=Topology=true
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
diff --git a/deploy/kubernetes-1.17/hostpath/csi-hostpath-resizer.yaml b/deploy/kubernetes-1.17/hostpath/csi-hostpath-resizer.yaml
index 77af2afb0..fbfa2ec40 100644
--- a/deploy/kubernetes-1.17/hostpath/csi-hostpath-resizer.yaml
+++ b/deploy/kubernetes-1.17/hostpath/csi-hostpath-resizer.yaml
@@ -44,6 +44,11 @@ spec:
           args:
             - -v=5
             - -csi-address=/csi/csi.sock
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
diff --git a/deploy/kubernetes-1.17/hostpath/csi-hostpath-snapshotter.yaml b/deploy/kubernetes-1.17/hostpath/csi-hostpath-snapshotter.yaml
index 131dc9cb9..08fe7579f 100644
--- a/deploy/kubernetes-1.17/hostpath/csi-hostpath-snapshotter.yaml
+++ b/deploy/kubernetes-1.17/hostpath/csi-hostpath-snapshotter.yaml
@@ -46,6 +46,11 @@ spec:
           args:
             - -v=5
             - --csi-address=/csi/csi.sock
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
diff --git a/deploy/kubernetes-1.17/hostpath/csi-hostpath-testing.yaml b/deploy/kubernetes-1.17/hostpath/csi-hostpath-testing.yaml
index 3e6b837d1..188a5bde8 100644
--- a/deploy/kubernetes-1.17/hostpath/csi-hostpath-testing.yaml
+++ b/deploy/kubernetes-1.17/hostpath/csi-hostpath-testing.yaml
@@ -49,6 +49,11 @@ spec:
           args:
             - tcp-listen:10000,fork,reuseaddr
             - unix-connect:/csi/csi.sock
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
           volumeMounts:
           - mountPath: /csi
             name: socket-dir