diff --git a/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-holder.yaml b/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-holder.yaml index 74937c30f62b..911536032c84 100644 --- a/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-holder.yaml +++ b/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-holder.yaml @@ -38,6 +38,8 @@ spec: # This is necessary for the Bidirectional mount propagation securityContext: privileged: true + capabilities: + drop: ["ALL"] image: {{ .CSIPluginImage }} command: - "/bin/sh" diff --git a/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-provisioner-dep.yaml b/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-provisioner-dep.yaml index e2a81a4ac7f5..54bf92cd17f8 100644 --- a/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-provisioner-dep.yaml +++ b/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-provisioner-dep.yaml @@ -254,6 +254,8 @@ spec: {{ if and .Privileged .CSILogRotation }} securityContext: privileged: true + capabilities: + drop: ["ALL"] {{ end }} volumeMounts: - name: socket-dir diff --git a/pkg/operator/ceph/csi/template/csi-logrotate-sidecar.yaml b/pkg/operator/ceph/csi/template/csi-logrotate-sidecar.yaml index e739862fa755..4a546e768e7b 100644 --- a/pkg/operator/ceph/csi/template/csi-logrotate-sidecar.yaml +++ b/pkg/operator/ceph/csi/template/csi-logrotate-sidecar.yaml @@ -28,6 +28,12 @@ command: image: {{ .CSIPluginImage }} imagePullPolicy: IfNotPresent name: log-collector +{{ if .Privileged }} +securityContext: + privileged: true + capabilities: + drop: ["ALL"] +{{ end }} volumeMounts: - mountPath: {{ .CsiLogRootPath }}/logrotate-config/{{ .CsiComponentName }} name: csi-logs-logrotate diff --git a/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-holder.yaml b/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-holder.yaml index 5ee0e6f0674c..2a4c64cf803b 100644 --- a/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-holder.yaml +++ b/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-holder.yaml @@ -38,6 +38,8 @@ spec: # This is necessary for the Bidirectional mount propagation securityContext: privileged: true + capabilities: + drop: ["ALL"] image: {{ .CSIPluginImage }} command: - "/bin/sh" diff --git a/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-provisioner-dep.yaml b/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-provisioner-dep.yaml index 1b29209343fc..7fad6f7bf258 100644 --- a/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-provisioner-dep.yaml +++ b/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-provisioner-dep.yaml @@ -161,6 +161,8 @@ spec: {{ if and .Privileged .CSILogRotation }} securityContext: privileged: true + capabilities: + drop: ["ALL"] {{ end }} volumeMounts: - name: socket-dir diff --git a/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-holder.yaml b/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-holder.yaml index 9be084d4b791..6191b9729116 100644 --- a/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-holder.yaml +++ b/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-holder.yaml @@ -38,6 +38,8 @@ spec: # This is necessary for the Bidirectional mount propagation securityContext: privileged: true + capabilities: + drop: ["ALL"] image: {{ .CSIPluginImage }} command: - "/bin/sh" diff --git a/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-provisioner-dep.yaml b/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-provisioner-dep.yaml index ed25616151ed..5f8b23974a3e 100644 --- a/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-provisioner-dep.yaml +++ b/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-provisioner-dep.yaml @@ -207,6 +207,8 @@ spec: {{ if and .Privileged .CSILogRotation }} securityContext: privileged: true + capabilities: + drop: ["ALL"] {{ end }} volumeMounts: - name: socket-dir @@ -263,6 +265,8 @@ spec: {{ if and .Privileged .CSILogRotation }} securityContext: privileged: true + capabilities: + drop: ["ALL"] {{ end }} volumeMounts: - name: socket-dir