Skip to content

Commit aba2761

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #794 from umagnus/node-security-context
fix: shield guard issue on csi node
2 parents 943001a + bc431bb commit aba2761

15 files changed

+135
-0
lines changed

charts/latest/csi-driver-smb-v0.0.0.tgz

10 Bytes
Binary file not shown.

charts/latest/csi-driver-smb/templates/csi-smb-node-windows.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,10 @@ spec:
5757
value: unix://C:\\csi\\csi.sock
5858
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
5959
resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }}
60+
securityContext:
61+
capabilities:
62+
drop:
63+
- ALL
6064
- name: node-driver-registrar
6165
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
6266
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -91,6 +95,10 @@ spec:
9195
- name: registration-dir
9296
mountPath: C:\registration
9397
resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }}
98+
securityContext:
99+
capabilities:
100+
drop:
101+
- ALL
94102
- name: smb
95103
{{- if hasPrefix "/" .Values.image.smb.repository }}
96104
image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
@@ -141,6 +149,10 @@ spec:
141149
- name: csi-proxy-smb-pipe-v1beta1
142150
mountPath: \\.\pipe\csi-proxy-smb-v1beta1
143151
resources: {{- toYaml .Values.windows.resources.smb | nindent 12 }}
152+
securityContext:
153+
capabilities:
154+
drop:
155+
- ALL
144156
volumes:
145157
- name: csi-proxy-fs-pipe-v1
146158
hostPath:

charts/latest/csi-driver-smb/templates/csi-smb-node.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,9 @@ spec:
6565
resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }}
6666
securityContext:
6767
readOnlyRootFilesystem: true
68+
capabilities:
69+
drop:
70+
- ALL
6871
- name: node-driver-registrar
6972
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
7073
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -95,6 +98,10 @@ spec:
9598
- name: registration-dir
9699
mountPath: /registration
97100
resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }}
101+
securityContext:
102+
capabilities:
103+
drop:
104+
- ALL
98105
- name: smb
99106
{{- if hasPrefix "/" .Values.image.smb.repository }}
100107
image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
@@ -129,6 +136,9 @@ spec:
129136
securityContext:
130137
readOnlyRootFilesystem: true
131138
privileged: true
139+
capabilities:
140+
drop:
141+
- ALL
132142
volumeMounts:
133143
- mountPath: /csi
134144
name: socket-dir

charts/v1.13.0/csi-driver-smb-v1.13.0.tgz

6 Bytes
Binary file not shown.

charts/v1.13.0/csi-driver-smb/templates/csi-smb-node-windows.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,10 @@ spec:
5757
value: unix://C:\\csi\\csi.sock
5858
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
5959
resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }}
60+
securityContext:
61+
capabilities:
62+
drop:
63+
- ALL
6064
- name: node-driver-registrar
6165
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
6266
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -91,6 +95,10 @@ spec:
9195
- name: registration-dir
9296
mountPath: C:\registration
9397
resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }}
98+
securityContext:
99+
capabilities:
100+
drop:
101+
- ALL
94102
- name: smb
95103
{{- if hasPrefix "/" .Values.image.smb.repository }}
96104
image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
@@ -141,6 +149,10 @@ spec:
141149
- name: csi-proxy-smb-pipe-v1beta1
142150
mountPath: \\.\pipe\csi-proxy-smb-v1beta1
143151
resources: {{- toYaml .Values.windows.resources.smb | nindent 12 }}
152+
securityContext:
153+
capabilities:
154+
drop:
155+
- ALL
144156
volumes:
145157
- name: csi-proxy-fs-pipe-v1
146158
hostPath:

charts/v1.13.0/csi-driver-smb/templates/csi-smb-node.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,9 @@ spec:
6565
resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }}
6666
securityContext:
6767
readOnlyRootFilesystem: true
68+
capabilities:
69+
drop:
70+
- ALL
6871
- name: node-driver-registrar
6972
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
7073
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -95,6 +98,10 @@ spec:
9598
- name: registration-dir
9699
mountPath: /registration
97100
resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }}
101+
securityContext:
102+
capabilities:
103+
drop:
104+
- ALL
98105
- name: smb
99106
{{- if hasPrefix "/" .Values.image.smb.repository }}
100107
image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
@@ -131,6 +138,9 @@ spec:
131138
securityContext:
132139
readOnlyRootFilesystem: true
133140
privileged: true
141+
capabilities:
142+
drop:
143+
- ALL
134144
volumeMounts:
135145
- mountPath: /csi
136146
name: socket-dir

charts/v1.14.0/csi-driver-smb-v1.14.0.tgz

12 Bytes
Binary file not shown.

charts/v1.14.0/csi-driver-smb/templates/csi-smb-node-windows.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,10 @@ spec:
5757
value: unix://C:\\csi\\csi.sock
5858
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
5959
resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }}
60+
securityContext:
61+
capabilities:
62+
drop:
63+
- ALL
6064
- name: node-driver-registrar
6165
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
6266
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -91,6 +95,10 @@ spec:
9195
- name: registration-dir
9296
mountPath: C:\registration
9397
resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }}
98+
securityContext:
99+
capabilities:
100+
drop:
101+
- ALL
94102
- name: smb
95103
{{- if hasPrefix "/" .Values.image.smb.repository }}
96104
image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
@@ -141,6 +149,10 @@ spec:
141149
- name: csi-proxy-smb-pipe-v1beta1
142150
mountPath: \\.\pipe\csi-proxy-smb-v1beta1
143151
resources: {{- toYaml .Values.windows.resources.smb | nindent 12 }}
152+
securityContext:
153+
capabilities:
154+
drop:
155+
- ALL
144156
volumes:
145157
- name: csi-proxy-fs-pipe-v1
146158
hostPath:

charts/v1.14.0/csi-driver-smb/templates/csi-smb-node.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,9 @@ spec:
6565
resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }}
6666
securityContext:
6767
readOnlyRootFilesystem: true
68+
capabilities:
69+
drop:
70+
- ALL
6871
- name: node-driver-registrar
6972
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
7073
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -95,6 +98,10 @@ spec:
9598
- name: registration-dir
9699
mountPath: /registration
97100
resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }}
101+
securityContext:
102+
capabilities:
103+
drop:
104+
- ALL
98105
- name: smb
99106
{{- if hasPrefix "/" .Values.image.smb.repository }}
100107
image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
@@ -129,6 +136,9 @@ spec:
129136
securityContext:
130137
readOnlyRootFilesystem: true
131138
privileged: true
139+
capabilities:
140+
drop:
141+
- ALL
132142
volumeMounts:
133143
- mountPath: /csi
134144
name: socket-dir

deploy/csi-smb-node-windows.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,10 @@ spec:
4848
requests:
4949
cpu: 10m
5050
memory: 40Mi
51+
securityContext:
52+
capabilities:
53+
drop:
54+
- ALL
5155
- name: node-driver-registrar
5256
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
5357
args:
@@ -84,6 +88,10 @@ spec:
8488
requests:
8589
cpu: 10m
8690
memory: 40Mi
91+
securityContext:
92+
capabilities:
93+
drop:
94+
- ALL
8795
- name: smb
8896
image: gcr.io/k8s-staging-sig-storage/smbplugin:canary
8997
imagePullPolicy: IfNotPresent
@@ -133,6 +141,10 @@ spec:
133141
requests:
134142
cpu: 10m
135143
memory: 40Mi
144+
securityContext:
145+
capabilities:
146+
drop:
147+
- ALL
136148
volumes:
137149
- name: csi-proxy-fs-pipe-v1
138150
hostPath:

deploy/csi-smb-node.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,10 @@ spec:
4545
requests:
4646
cpu: 10m
4747
memory: 20Mi
48+
securityContext:
49+
capabilities:
50+
drop:
51+
- ALL
4852
- name: node-driver-registrar
4953
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
5054
args:
@@ -75,6 +79,10 @@ spec:
7579
requests:
7680
cpu: 10m
7781
memory: 20Mi
82+
securityContext:
83+
capabilities:
84+
drop:
85+
- ALL
7886
- name: smb
7987
image: gcr.io/k8s-staging-sig-storage/smbplugin:canary
8088
imagePullPolicy: IfNotPresent
@@ -101,6 +109,9 @@ spec:
101109
fieldPath: spec.nodeName
102110
securityContext:
103111
privileged: true
112+
capabilities:
113+
drop:
114+
- ALL
104115
volumeMounts:
105116
- mountPath: /csi
106117
name: socket-dir

deploy/v1.13.0/csi-smb-node-windows.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,10 @@ spec:
4848
requests:
4949
cpu: 10m
5050
memory: 40Mi
51+
securityContext:
52+
capabilities:
53+
drop:
54+
- ALL
5155
- name: node-driver-registrar
5256
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0
5357
args:
@@ -84,6 +88,10 @@ spec:
8488
requests:
8589
cpu: 10m
8690
memory: 40Mi
91+
securityContext:
92+
capabilities:
93+
drop:
94+
- ALL
8795
- name: smb
8896
image: registry.k8s.io/sig-storage/smbplugin:v1.13.0
8997
imagePullPolicy: IfNotPresent
@@ -133,6 +141,10 @@ spec:
133141
requests:
134142
cpu: 10m
135143
memory: 40Mi
144+
securityContext:
145+
capabilities:
146+
drop:
147+
- ALL
136148
volumes:
137149
- name: csi-proxy-fs-pipe-v1
138150
hostPath:

deploy/v1.13.0/csi-smb-node.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,10 @@ spec:
4545
requests:
4646
cpu: 10m
4747
memory: 20Mi
48+
securityContext:
49+
capabilities:
50+
drop:
51+
- ALL
4852
- name: node-driver-registrar
4953
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0
5054
args:
@@ -75,6 +79,10 @@ spec:
7579
requests:
7680
cpu: 10m
7781
memory: 20Mi
82+
securityContext:
83+
capabilities:
84+
drop:
85+
- ALL
7886
- name: smb
7987
image: registry.k8s.io/sig-storage/smbplugin:v1.13.0
8088
imagePullPolicy: IfNotPresent
@@ -104,6 +112,9 @@ spec:
104112
fieldPath: spec.nodeName
105113
securityContext:
106114
privileged: true
115+
capabilities:
116+
drop:
117+
- ALL
107118
volumeMounts:
108119
- mountPath: /csi
109120
name: socket-dir

deploy/v1.14.0/csi-smb-node-windows.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,10 @@ spec:
4848
requests:
4949
cpu: 10m
5050
memory: 40Mi
51+
securityContext:
52+
capabilities:
53+
drop:
54+
- ALL
5155
- name: node-driver-registrar
5256
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
5357
args:
@@ -84,6 +88,10 @@ spec:
8488
requests:
8589
cpu: 10m
8690
memory: 40Mi
91+
securityContext:
92+
capabilities:
93+
drop:
94+
- ALL
8795
- name: smb
8896
image: registry.k8s.io/sig-storage/smbplugin:v1.14.0
8997
imagePullPolicy: IfNotPresent
@@ -133,6 +141,10 @@ spec:
133141
requests:
134142
cpu: 10m
135143
memory: 40Mi
144+
securityContext:
145+
capabilities:
146+
drop:
147+
- ALL
136148
volumes:
137149
- name: csi-proxy-fs-pipe-v1
138150
hostPath:

deploy/v1.14.0/csi-smb-node.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,10 @@ spec:
4545
requests:
4646
cpu: 10m
4747
memory: 20Mi
48+
securityContext:
49+
capabilities:
50+
drop:
51+
- ALL
4852
- name: node-driver-registrar
4953
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
5054
args:
@@ -75,6 +79,10 @@ spec:
7579
requests:
7680
cpu: 10m
7781
memory: 20Mi
82+
securityContext:
83+
capabilities:
84+
drop:
85+
- ALL
7886
- name: smb
7987
image: registry.k8s.io/sig-storage/smbplugin:v1.14.0
8088
imagePullPolicy: IfNotPresent
@@ -101,6 +109,9 @@ spec:
101109
fieldPath: spec.nodeName
102110
securityContext:
103111
privileged: true
112+
capabilities:
113+
drop:
114+
- ALL
104115
volumeMounts:
105116
- mountPath: /csi
106117
name: socket-dir

0 commit comments

Comments
 (0)