[FEATURE]: Hardenning the isilon node

[briner]

qbDescribe the solution you'd like Reading the dæmonset isilon-ds, we see that the containers use the securityContext privileged:true. See below:

oc get ds isilon-node -o json | jq '.spec.template.spec.containers[0].securityContext'
  # {
  #   "capabilities": {
  #     "add": [
  #       "SYS_ADMIN"
  #     ]
  #   },
  #   "privileged": true
  # }

I do imagine that a CSI drivers needs access to a lot of the linux capabilities to run (man capapilities 7). But I do think that you'll not need all of them. Such as CAP_SYS_TIME or CAP_WAKE_ALARM…

But as you know, capabilities does split what the root user rights in many pieces.

Describe alternatives you've considered Can you

• restrict as much the capabilities needed and provide us with a securityContextConstraint reflecting those needs.
• once the securityContextConstraint is written, can you explain us the need of each capabilities

Additional context This is needed as we would like to have a Add any other context or screenshots about the feature request here.

[shanmydell]

@randeepsharma : Could you please have a look?

[randeepdell]

@briner Thank you for this request. We will look into this and share the info on the same.

[randeepdell]

Hi, We have added this ticket to our backlog items and will it take up based on priority. Will post as and when there are updates on this.