Skip to content

2024

🔒🧰 Hardening Kubernetes CSI Drivers: Reducing CAP_SYS_ADMIN Without Breaking Storage

Many Kubernetes storage drivers still rely on the powerful—and notoriously over‑broad—Linux capability CAP_SYS_ADMIN to perform host‑level operations. While it enables critical actions like filesystem mounts, it also substantially expands the attack surface of your cluster.

This post explains why CSI node plugins often end up needing CAP_SYS_ADMIN, what breaks when you remove it, and several concrete hardening strategies using tools like seccomp, AppArmor, SELinux, and controlled privilege elevation.

Best Practices for Deployment and Life Cycle Management of Dell CSM Modules

Co-authored with Parasar Kodati.

The Dell CSM Kubernetes Operator packages the CSI driver and other storage services (Container Storage Modules) for observability, replication, authorization, and node resiliency. This single operator supports PowerFlex, PowerStore, PowerScale, and Unity platforms (see Support Matrix ). This post lays out best practices for deployment and lifecycle management of Dell CSMs.

Network Design for PowerScale CSI

Co-authored with Sean Zhan.

Network connectivity is an essential part of any infrastructure architecture. When it comes to how Kubernetes connects to PowerScale, there are several options to configure the Container Storage Interface (CSI). This post covers the concepts and configuration you can implement.