Replace kubelet volume mount with subdirectories

[hajiler]

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind bug

What this PR does / why we need it:

The driver was previously mounting the entire /var/lib/kubelet host directory. This broad access violates the principle of least privilege by exposing sensitive subdirectories—such as /var/lib/kubelet/pki/ (node certificates) and /var/lib/kubelet/pods/ (all pod volumes and tokens)—to the CSI container.

This change replaces the single broad root mount with restricted hostPath mounts.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[mattcary]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hajiler, mattcary

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [mattcary]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hajiler]

/test pull-gcp-compute-persistent-disk-csi-driver-e2e-windows-2022
/test pull-gcp-compute-persistent-disk-csi-driver-e2e-windows-2022

[k8s-ci-robot]

@hajiler: you cannot LGTM your own PR.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sunnylovestiramisu]

/retest

[k8s-ci-robot]

@hajiler: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-gcp-compute-persistent-disk-csi-driver-e2e-windows-2022	200a34c	link	false	/test pull-gcp-compute-persistent-disk-csi-driver-e2e-windows-2022
pull-gcp-compute-persistent-disk-csi-driver-e2e-windows-2019	200a34c	link	false	/test pull-gcp-compute-persistent-disk-csi-driver-e2e-windows-2019

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sunnylovestiramisu]

Failed tests related to VolumeSnapshot.
/lgtm