diff --git a/charts/latest/azurefile-csi-driver-v1.28.10.tgz b/charts/latest/azurefile-csi-driver-v1.28.10.tgz index 1bf689ab96..1adf178d2a 100644 Binary files a/charts/latest/azurefile-csi-driver-v1.28.10.tgz and b/charts/latest/azurefile-csi-driver-v1.28.10.tgz differ diff --git a/charts/latest/azurefile-csi-driver/templates/csi-azurefile-controller.yaml b/charts/latest/azurefile-csi-driver/templates/csi-azurefile-controller.yaml index 12cca057ae..453e25affb 100644 --- a/charts/latest/azurefile-csi-driver/templates/csi-azurefile-controller.yaml +++ b/charts/latest/azurefile-csi-driver/templates/csi-azurefile-controller.yaml @@ -85,6 +85,10 @@ spec: - mountPath: /csi name: socket-dir resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: csi-attacher {{- if hasPrefix "/" .Values.image.csiAttacher.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiAttacher.repository }}:{{ .Values.image.csiAttacher.tag }}" @@ -107,6 +111,10 @@ spec: - mountPath: /csi name: socket-dir resources: {{- toYaml .Values.controller.resources.csiAttacher | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: csi-snapshotter {{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}" @@ -125,6 +133,10 @@ spec: - name: socket-dir mountPath: /csi resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: csi-resizer {{- if hasPrefix "/" .Values.image.csiResizer.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" @@ -147,6 +159,10 @@ spec: - name: socket-dir mountPath: /csi resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: liveness-probe {{- if hasPrefix "/" .Values.image.livenessProbe.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" @@ -167,6 +183,10 @@ spec: - name: socket-dir mountPath: /csi resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: azurefile {{- if hasPrefix "/" .Values.image.azurefile.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" @@ -240,6 +260,10 @@ spec: readOnly: true {{- end }} resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL volumes: - name: socket-dir emptyDir: {} diff --git a/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml b/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml index 82a79caf39..f55111f9f4 100644 --- a/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml +++ b/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml @@ -76,6 +76,10 @@ spec: - "powershell.exe" - "-c" - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force" + securityContext: + capabilities: + drop: + - ALL containers: - name: node-driver-registrar {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} @@ -103,6 +107,10 @@ spec: fieldPath: spec.nodeName imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }} resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: azurefile {{- if hasPrefix "/" .Values.image.azurefile.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp" @@ -149,4 +157,8 @@ spec: fieldPath: spec.nodeName imagePullPolicy: {{ .Values.image.pullPolicy }} resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL {{- end -}} diff --git a/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml b/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml index 9a193798eb..e4517ff0e3 100644 --- a/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml +++ b/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml @@ -80,6 +80,10 @@ spec: value: unix://C:\\csi\\csi.sock imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" @@ -118,6 +122,10 @@ spec: - name: registration-dir mountPath: C:\registration resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: azurefile {{- if hasPrefix "/" .Values.image.azurefile.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" @@ -193,6 +201,10 @@ spec: - name: csi-proxy-smb-pipe-v1beta1 mountPath: \\.\pipe\csi-proxy-smb-v1beta1 resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL volumes: - name: csi-proxy-fs-pipe-v1 hostPath: diff --git a/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml b/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml index 3afcecb755..6332c7f4c8 100644 --- a/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml +++ b/charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml @@ -82,6 +82,10 @@ spec: - --v=2 imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" @@ -114,6 +118,10 @@ spec: - name: registration-dir mountPath: /registration resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: azurefile {{- if hasPrefix "/" .Values.image.azurefile.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}" @@ -172,6 +180,9 @@ spec: imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }} securityContext: privileged: true + capabilities: + drop: + - ALL volumeMounts: - mountPath: /csi name: socket-dir diff --git a/charts/latest/azurefile-csi-driver/templates/csi-snapshot-controller.yaml b/charts/latest/azurefile-csi-driver/templates/csi-snapshot-controller.yaml index d84398364d..d9e8e6f248 100644 --- a/charts/latest/azurefile-csi-driver/templates/csi-snapshot-controller.yaml +++ b/charts/latest/azurefile-csi-driver/templates/csi-snapshot-controller.yaml @@ -71,4 +71,8 @@ spec: - "--leader-election-namespace={{ .Release.Namespace }}" resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }} imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL {{- end -}} diff --git a/deploy/csi-azurefile-controller.yaml b/deploy/csi-azurefile-controller.yaml index 3d2e7c21ce..f71087d50b 100644 --- a/deploy/csi-azurefile-controller.yaml +++ b/deploy/csi-azurefile-controller.yaml @@ -53,6 +53,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: csi-attacher image: mcr.microsoft.com/oss/kubernetes-csi/csi-attacher:v4.3.0 args: @@ -75,6 +79,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: csi-snapshotter image: mcr.microsoft.com/oss/kubernetes-csi/csi-snapshotter:v6.2.1 args: @@ -94,6 +102,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: csi-resizer image: mcr.microsoft.com/oss/kubernetes-csi/csi-resizer:v1.8.0 args: @@ -116,6 +128,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: liveness-probe image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.10.0 args: @@ -132,6 +148,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: azurefile image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10 imagePullPolicy: IfNotPresent @@ -173,6 +193,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL volumes: - name: socket-dir emptyDir: {} diff --git a/deploy/csi-azurefile-node-windows-hostprocess.yaml b/deploy/csi-azurefile-node-windows-hostprocess.yaml index be0a24bf76..455a4dc270 100644 --- a/deploy/csi-azurefile-node-windows-hostprocess.yaml +++ b/deploy/csi-azurefile-node-windows-hostprocess.yaml @@ -49,6 +49,10 @@ spec: - "powershell.exe" - "-c" - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force" + securityContext: + capabilities: + drop: + - ALL containers: - name: node-driver-registrar image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0 @@ -77,6 +81,10 @@ spec: requests: cpu: 30m memory: 40Mi + securityContext: + capabilities: + drop: + - ALL - name: azurefile image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10-windows-hp imagePullPolicy: IfNotPresent @@ -108,3 +116,7 @@ spec: requests: cpu: 10m memory: 40Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/csi-azurefile-node-windows.yaml b/deploy/csi-azurefile-node-windows.yaml index b5558fa403..20739aa72e 100644 --- a/deploy/csi-azurefile-node-windows.yaml +++ b/deploy/csi-azurefile-node-windows.yaml @@ -57,6 +57,10 @@ spec: requests: cpu: 10m memory: 40Mi + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0 args: @@ -93,6 +97,10 @@ spec: requests: cpu: 30m memory: 40Mi + securityContext: + capabilities: + drop: + - ALL - name: azurefile image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10 imagePullPolicy: IfNotPresent @@ -150,6 +158,10 @@ spec: requests: cpu: 10m memory: 40Mi + securityContext: + capabilities: + drop: + - ALL volumes: - name: csi-proxy-fs-pipe-v1 hostPath: diff --git a/deploy/csi-azurefile-node.yaml b/deploy/csi-azurefile-node.yaml index 46fbc2545d..5587228671 100644 --- a/deploy/csi-azurefile-node.yaml +++ b/deploy/csi-azurefile-node.yaml @@ -54,6 +54,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0 args: @@ -84,6 +88,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: azurefile image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10 imagePullPolicy: IfNotPresent @@ -117,6 +125,9 @@ spec: fieldPath: spec.nodeName securityContext: privileged: true + capabilities: + drop: + - ALL volumeMounts: - mountPath: /csi name: socket-dir diff --git a/deploy/csi-snapshot-controller.yaml b/deploy/csi-snapshot-controller.yaml index 7ab1102ee4..56c7a65f08 100644 --- a/deploy/csi-snapshot-controller.yaml +++ b/deploy/csi-snapshot-controller.yaml @@ -53,3 +53,7 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL