Run all containers as privileged

On systems with SELinux enabled, all containers that access the CSI driver
socket must have the same security setting as the driver that exposes the
socket. Since the socket is exposed by privileged container, all sidecars
must be privileged too.

Author: jsafrane

deploy/kubernetes-1.16/hostpath/csi-hostpath-attacher.yaml

@@ -44,6 +44,11 @@ spec:
           args:
             - --v=5
             - --csi-address=/csi/csi.sock
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
           volumeMounts:
           - mountPath: /csi
             name: socket-dir

deploy/kubernetes-1.16/hostpath/csi-hostpath-plugin.yaml

@@ -46,6 +46,9 @@ spec:
             - --csi-address=/csi/csi.sock
             - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-hostpath/csi.sock
           securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
             privileged: true
           env:
             - name: KUBE_NODE_NAME
@@ -107,6 +110,11 @@ spec:
           volumeMounts:
           - mountPath: /csi
             name: socket-dir
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
           image: quay.io/k8scsi/livenessprobe:v1.1.0
           args:
           - --csi-address=/csi/csi.sock

deploy/kubernetes-1.16/hostpath/csi-hostpath-provisioner.yaml

@@ -46,6 +46,11 @@ spec:
             - --csi-address=/csi/csi.sock
             - --connection-timeout=15s
             - --feature-gates=Topology=true
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

deploy/kubernetes-1.16/hostpath/csi-hostpath-resizer.yaml

@@ -44,6 +44,11 @@ spec:
           args:
             - -v=5
             - -csi-address=/csi/csi.sock
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

deploy/kubernetes-1.16/hostpath/csi-hostpath-snapshotter.yaml

@@ -45,6 +45,11 @@ spec:
             - -v=5
             - --csi-address=/csi/csi.sock
             - --connection-timeout=15s
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

deploy/kubernetes-1.16/hostpath/csi-hostpath-testing.yaml

@@ -49,6 +49,11 @@ spec:
           args:
             - tcp-listen:10000,fork,reuseaddr
             - unix-connect:/csi/csi.sock
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
           volumeMounts:
           - mountPath: /csi
             name: socket-dir