Readonly access to csi secret store provider containers

[shafanaS]

Does csi secret store provider containers require write access to the file system?
If read only access is sufficient, how can this be enabled through helm chart during deployment.

securityContext:
      readOnlyRootFilesystem: true

[nilekhc]

Hello @shafanaS, Provider does not need write access to file system as secrets are being written by driver. And since it's not required, we have by default set readOnlyRootFilesystem: true and won't let this override through helm.

[shafanaS]

Hi @nilekhc. Thank you for the answer.
I have used below chart to deploy csi secret store driver in my AKS.

helm repo add csi-secrets-store-provider-azure https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts
helm upgrade --install csi-secrets-store-provider-azure csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --namespace csi-secret-store-driver --version 0.0.16

According to AKS policy "Kubernetes cluster containers should run with a read only root file system" csi secret store containers are listed as non compliant. When I checked the deployment daemonset for the below containers readOnlyRootFilesystem: true was not set.

• provider-azure-installer
• node-driver-registrar
• secrets-store
• liveness-probe
• node-driver-registrar

How can I enable readOnlyRootFilesystem: true flag to these containers using helm?

[nilekhc]

Hi @shafanaS, I see you are setting version as 0.0.16 in your steps. That is very old version. We now have stable v1.0.0.

Could you try these install step?

helm repo add csi-secrets-store-provider-azure https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts
helm install csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --namespace kube-system

[ritazh]

ICYMI Since you are on AKS, this component is a managed AKS addon, for more information checkout https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver