Skip to content

Commit

Permalink
Merge pull request #794 from umagnus/node-security-context
Browse files Browse the repository at this point in the history 
fix: shield guard issue on csi node
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot authored Jun 21, 2024
2 parents 943001a + bc431bb commit aba2761
Show file tree
Hide file tree
Showing 15 changed files with 135 additions and 0 deletions.
Binary file modified charts/latest/csi-driver-smb-v0.0.0.tgz
View file
Binary file not shown.
12 changes: 12 additions & 0 deletions charts/latest/csi-driver-smb/templates/csi-smb-node-windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ spec:
value: unix://C:\\csi\\csi.sock
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
Expand Down Expand Up @@ -91,6 +95,10 @@ spec:
- name: registration-dir
mountPath: C:\registration
resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: smb
{{- if hasPrefix "/" .Values.image.smb.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
Expand Down Expand Up @@ -141,6 +149,10 @@ spec:
- name: csi-proxy-smb-pipe-v1beta1
mountPath: \\.\pipe\csi-proxy-smb-v1beta1
resources: {{- toYaml .Values.windows.resources.smb | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: csi-proxy-fs-pipe-v1
hostPath:
Expand Down
10 changes: 10 additions & 0 deletions charts/latest/csi-driver-smb/templates/csi-smb-node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@ spec:
resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: node-driver-registrar
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
Expand Down Expand Up @@ -95,6 +98,10 @@ spec:
- name: registration-dir
mountPath: /registration
resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: smb
{{- if hasPrefix "/" .Values.image.smb.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
Expand Down Expand Up @@ -129,6 +136,9 @@ spec:
securityContext:
readOnlyRootFilesystem: true
privileged: true
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /csi
name: socket-dir
Expand Down
Binary file modified charts/v1.13.0/csi-driver-smb-v1.13.0.tgz
View file
Binary file not shown.
12 changes: 12 additions & 0 deletions charts/v1.13.0/csi-driver-smb/templates/csi-smb-node-windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ spec:
value: unix://C:\\csi\\csi.sock
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
Expand Down Expand Up @@ -91,6 +95,10 @@ spec:
- name: registration-dir
mountPath: C:\registration
resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: smb
{{- if hasPrefix "/" .Values.image.smb.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
Expand Down Expand Up @@ -141,6 +149,10 @@ spec:
- name: csi-proxy-smb-pipe-v1beta1
mountPath: \\.\pipe\csi-proxy-smb-v1beta1
resources: {{- toYaml .Values.windows.resources.smb | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: csi-proxy-fs-pipe-v1
hostPath:
Expand Down
10 changes: 10 additions & 0 deletions charts/v1.13.0/csi-driver-smb/templates/csi-smb-node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@ spec:
resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: node-driver-registrar
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
Expand Down Expand Up @@ -95,6 +98,10 @@ spec:
- name: registration-dir
mountPath: /registration
resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: smb
{{- if hasPrefix "/" .Values.image.smb.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
Expand Down Expand Up @@ -131,6 +138,9 @@ spec:
securityContext:
readOnlyRootFilesystem: true
privileged: true
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /csi
name: socket-dir
Expand Down
Binary file modified charts/v1.14.0/csi-driver-smb-v1.14.0.tgz
View file
Binary file not shown.
12 changes: 12 additions & 0 deletions charts/v1.14.0/csi-driver-smb/templates/csi-smb-node-windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ spec:
value: unix://C:\\csi\\csi.sock
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
Expand Down Expand Up @@ -91,6 +95,10 @@ spec:
- name: registration-dir
mountPath: C:\registration
resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: smb
{{- if hasPrefix "/" .Values.image.smb.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
Expand Down Expand Up @@ -141,6 +149,10 @@ spec:
- name: csi-proxy-smb-pipe-v1beta1
mountPath: \\.\pipe\csi-proxy-smb-v1beta1
resources: {{- toYaml .Values.windows.resources.smb | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: csi-proxy-fs-pipe-v1
hostPath:
Expand Down
10 changes: 10 additions & 0 deletions charts/v1.14.0/csi-driver-smb/templates/csi-smb-node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@ spec:
resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: node-driver-registrar
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
Expand Down Expand Up @@ -95,6 +98,10 @@ spec:
- name: registration-dir
mountPath: /registration
resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: smb
{{- if hasPrefix "/" .Values.image.smb.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
Expand Down Expand Up @@ -129,6 +136,9 @@ spec:
securityContext:
readOnlyRootFilesystem: true
privileged: true
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /csi
name: socket-dir
Expand Down
12 changes: 12 additions & 0 deletions deploy/csi-smb-node-windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,10 @@ spec:
requests:
cpu: 10m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
args:
Expand Down Expand Up @@ -84,6 +88,10 @@ spec:
requests:
cpu: 10m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
- name: smb
image: gcr.io/k8s-staging-sig-storage/smbplugin:canary
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -133,6 +141,10 @@ spec:
requests:
cpu: 10m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: csi-proxy-fs-pipe-v1
hostPath:
Expand Down
11 changes: 11 additions & 0 deletions deploy/csi-smb-node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
args:
Expand Down Expand Up @@ -75,6 +79,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: smb
image: gcr.io/k8s-staging-sig-storage/smbplugin:canary
imagePullPolicy: IfNotPresent
Expand All @@ -101,6 +109,9 @@ spec:
fieldPath: spec.nodeName
securityContext:
privileged: true
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /csi
name: socket-dir
Expand Down
12 changes: 12 additions & 0 deletions deploy/v1.13.0/csi-smb-node-windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,10 @@ spec:
requests:
cpu: 10m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0
args:
Expand Down Expand Up @@ -84,6 +88,10 @@ spec:
requests:
cpu: 10m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
- name: smb
image: registry.k8s.io/sig-storage/smbplugin:v1.13.0
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -133,6 +141,10 @@ spec:
requests:
cpu: 10m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: csi-proxy-fs-pipe-v1
hostPath:
Expand Down
11 changes: 11 additions & 0 deletions deploy/v1.13.0/csi-smb-node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0
args:
Expand Down Expand Up @@ -75,6 +79,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: smb
image: registry.k8s.io/sig-storage/smbplugin:v1.13.0
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -104,6 +112,9 @@ spec:
fieldPath: spec.nodeName
securityContext:
privileged: true
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /csi
name: socket-dir
Expand Down
12 changes: 12 additions & 0 deletions deploy/v1.14.0/csi-smb-node-windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,10 @@ spec:
requests:
cpu: 10m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
args:
Expand Down Expand Up @@ -84,6 +88,10 @@ spec:
requests:
cpu: 10m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
- name: smb
image: registry.k8s.io/sig-storage/smbplugin:v1.14.0
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -133,6 +141,10 @@ spec:
requests:
cpu: 10m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: csi-proxy-fs-pipe-v1
hostPath:
Expand Down
11 changes: 11 additions & 0 deletions deploy/v1.14.0/csi-smb-node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
args:
Expand Down Expand Up @@ -75,6 +79,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: smb
image: registry.k8s.io/sig-storage/smbplugin:v1.14.0
imagePullPolicy: IfNotPresent
Expand All @@ -101,6 +109,9 @@ spec:
fieldPath: spec.nodeName
securityContext:
privileged: true
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /csi
name: socket-dir
Expand Down

0 comments on commit aba2761

Please sign in to comment.