Skip to content

Commit

Permalink
Merge pull request #1929 from umagnus/release-1.28-shield
Browse files Browse the repository at this point in the history
[release-1.28] fix shield guard on csi controller and node
  • Loading branch information
k8s-ci-robot authored Jun 21, 2024
2 parents 39dc23c + 1587552 commit dc66be4
Show file tree
Hide file tree
Showing 11 changed files with 126 additions and 0 deletions.
Binary file modified charts/latest/azurefile-csi-driver-v1.28.10.tgz
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,10 @@ spec:
- mountPath: /csi
name: socket-dir
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: csi-attacher
{{- if hasPrefix "/" .Values.image.csiAttacher.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiAttacher.repository }}:{{ .Values.image.csiAttacher.tag }}"
Expand All @@ -107,6 +111,10 @@ spec:
- mountPath: /csi
name: socket-dir
resources: {{- toYaml .Values.controller.resources.csiAttacher | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: csi-snapshotter
{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}"
Expand All @@ -125,6 +133,10 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: csi-resizer
{{- if hasPrefix "/" .Values.image.csiResizer.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}"
Expand All @@ -147,6 +159,10 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
Expand All @@ -167,6 +183,10 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: azurefile
{{- if hasPrefix "/" .Values.image.azurefile.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}"
Expand Down Expand Up @@ -240,6 +260,10 @@ spec:
readOnly: true
{{- end }}
resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: socket-dir
emptyDir: {}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,10 @@ spec:
- "powershell.exe"
- "-c"
- "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force"
securityContext:
capabilities:
drop:
- ALL
containers:
- name: node-driver-registrar
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
Expand Down Expand Up @@ -103,6 +107,10 @@ spec:
fieldPath: spec.nodeName
imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }}
resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: azurefile
{{- if hasPrefix "/" .Values.image.azurefile.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp"
Expand Down Expand Up @@ -149,4 +157,8 @@ spec:
fieldPath: spec.nodeName
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
{{- end -}}
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,10 @@ spec:
value: unix://C:\\csi\\csi.sock
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
Expand Down Expand Up @@ -118,6 +122,10 @@ spec:
- name: registration-dir
mountPath: C:\registration
resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: azurefile
{{- if hasPrefix "/" .Values.image.azurefile.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}"
Expand Down Expand Up @@ -193,6 +201,10 @@ spec:
- name: csi-proxy-smb-pipe-v1beta1
mountPath: \\.\pipe\csi-proxy-smb-v1beta1
resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: csi-proxy-fs-pipe-v1
hostPath:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ spec:
- --v=2
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
Expand Down Expand Up @@ -114,6 +118,10 @@ spec:
- name: registration-dir
mountPath: /registration
resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: azurefile
{{- if hasPrefix "/" .Values.image.azurefile.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}"
Expand Down Expand Up @@ -172,6 +180,9 @@ spec:
imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }}
securityContext:
privileged: true
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /csi
name: socket-dir
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -71,4 +71,8 @@ spec:
- "--leader-election-namespace={{ .Release.Namespace }}"
resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }}
imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }}
securityContext:
capabilities:
drop:
- ALL
{{- end -}}
24 changes: 24 additions & 0 deletions deploy/csi-azurefile-controller.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: csi-attacher
image: mcr.microsoft.com/oss/kubernetes-csi/csi-attacher:v4.3.0
args:
Expand All @@ -75,6 +79,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: csi-snapshotter
image: mcr.microsoft.com/oss/kubernetes-csi/csi-snapshotter:v6.2.1
args:
Expand All @@ -94,6 +102,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: csi-resizer
image: mcr.microsoft.com/oss/kubernetes-csi/csi-resizer:v1.8.0
args:
Expand All @@ -116,6 +128,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.10.0
args:
Expand All @@ -132,6 +148,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: azurefile
image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -173,6 +193,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: socket-dir
emptyDir: {}
Expand Down
12 changes: 12 additions & 0 deletions deploy/csi-azurefile-node-windows-hostprocess.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,10 @@ spec:
- "powershell.exe"
- "-c"
- "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force"
securityContext:
capabilities:
drop:
- ALL
containers:
- name: node-driver-registrar
image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0
Expand Down Expand Up @@ -77,6 +81,10 @@ spec:
requests:
cpu: 30m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
- name: azurefile
image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10-windows-hp
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -108,3 +116,7 @@ spec:
requests:
cpu: 10m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
12 changes: 12 additions & 0 deletions deploy/csi-azurefile-node-windows.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ spec:
requests:
cpu: 10m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0
args:
Expand Down Expand Up @@ -93,6 +97,10 @@ spec:
requests:
cpu: 30m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
- name: azurefile
image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -150,6 +158,10 @@ spec:
requests:
cpu: 10m
memory: 40Mi
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: csi-proxy-fs-pipe-v1
hostPath:
Expand Down
11 changes: 11 additions & 0 deletions deploy/csi-azurefile-node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar
image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0
args:
Expand Down Expand Up @@ -84,6 +88,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: azurefile
image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -117,6 +125,9 @@ spec:
fieldPath: spec.nodeName
securityContext:
privileged: true
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /csi
name: socket-dir
Expand Down
4 changes: 4 additions & 0 deletions deploy/csi-snapshot-controller.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,7 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL

0 comments on commit dc66be4

Please sign in to comment.