diff --git a/csi/deployment.go b/csi/deployment.go index 6e6488dec7..42deeec945 100644 --- a/csi/deployment.go +++ b/csi/deployment.go @@ -279,7 +279,6 @@ func NewPluginDeployment(namespace, serviceAccount, nodeDriverRegistrarImage, li Tolerations: tolerations, NodeSelector: nodeSelector, PriorityClassName: priorityClass, - HostPID: true, Containers: []corev1.Container{ { Name: "node-driver-registrar", @@ -419,13 +418,15 @@ func NewPluginDeployment(namespace, serviceAccount, nodeDriverRegistrarImage, li MountPath: "/dev", }, { - Name: "host-sys", - MountPath: "/sys", + // The plugin must be able to switch to the host's namespaces in order to execute + // cryptsetup commands for encrypted devices to mount RWX volumes when not using a + // storage network. + Name: "host-proc", + MountPath: "/host/proc", }, { - Name: "host", - MountPath: "/host", - MountPropagation: &MountPropagationBidirectional, + Name: "host-sys", + MountPath: "/sys", }, { Name: "lib-modules", @@ -481,18 +482,18 @@ func NewPluginDeployment(namespace, serviceAccount, nodeDriverRegistrarImage, li }, }, { - Name: "host-sys", + Name: "host-proc", VolumeSource: corev1.VolumeSource{ HostPath: &corev1.HostPathVolumeSource{ - Path: "/sys", + Path: "/proc", }, }, }, { - Name: "host", + Name: "host-sys", VolumeSource: corev1.VolumeSource{ HostPath: &corev1.HostPathVolumeSource{ - Path: "/", + Path: "/sys", }, }, }, diff --git a/package/nsmounter b/package/nsmounter index 05ba2647e3..1d7015599c 100755 --- a/package/nsmounter +++ b/package/nsmounter @@ -1,6 +1,6 @@ #!/bin/bash -PROC_DIR="/proc" +PROC_DIR="/host/proc" os_distro_talos="talos" os_distro="" @@ -43,4 +43,10 @@ get_os_distro [[ $os_distro = $os_distro_talos ]] && get_pid "kubelet" -nsenter -t $target_pid -m -n -u -- "$@" \ No newline at end of file +# Use namespace files instead of -t to avoid the need for HostPID. +ns_dir="$PROC_DIR/$target_pid/ns" +ns_mnt="$ns_dir/mnt" +ns_net="$ns_dir/net" +ns_uts="$ns_dir/uts" + +nsenter --mount="$ns_mnt" --net="$ns_net" --uts="$ns_uts" -- "$@"