Skip to content

Commit 1587552

Browse files
committed
fix shield guard on csi controller and node
1 parent 39dc23c commit 1587552

11 files changed

+126
-0
lines changed
52 Bytes
Binary file not shown.

charts/latest/azurefile-csi-driver/templates/csi-azurefile-controller.yaml

+24
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,10 @@ spec:
8585
- mountPath: /csi
8686
name: socket-dir
8787
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
88+
securityContext:
89+
capabilities:
90+
drop:
91+
- ALL
8892
- name: csi-attacher
8993
{{- if hasPrefix "/" .Values.image.csiAttacher.repository }}
9094
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiAttacher.repository }}:{{ .Values.image.csiAttacher.tag }}"
@@ -107,6 +111,10 @@ spec:
107111
- mountPath: /csi
108112
name: socket-dir
109113
resources: {{- toYaml .Values.controller.resources.csiAttacher | nindent 12 }}
114+
securityContext:
115+
capabilities:
116+
drop:
117+
- ALL
110118
- name: csi-snapshotter
111119
{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }}
112120
image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}"
@@ -125,6 +133,10 @@ spec:
125133
- name: socket-dir
126134
mountPath: /csi
127135
resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }}
136+
securityContext:
137+
capabilities:
138+
drop:
139+
- ALL
128140
- name: csi-resizer
129141
{{- if hasPrefix "/" .Values.image.csiResizer.repository }}
130142
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}"
@@ -147,6 +159,10 @@ spec:
147159
- name: socket-dir
148160
mountPath: /csi
149161
resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }}
162+
securityContext:
163+
capabilities:
164+
drop:
165+
- ALL
150166
- name: liveness-probe
151167
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
152168
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
@@ -167,6 +183,10 @@ spec:
167183
- name: socket-dir
168184
mountPath: /csi
169185
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
186+
securityContext:
187+
capabilities:
188+
drop:
189+
- ALL
170190
- name: azurefile
171191
{{- if hasPrefix "/" .Values.image.azurefile.repository }}
172192
image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}"
@@ -240,6 +260,10 @@ spec:
240260
readOnly: true
241261
{{- end }}
242262
resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }}
263+
securityContext:
264+
capabilities:
265+
drop:
266+
- ALL
243267
volumes:
244268
- name: socket-dir
245269
emptyDir: {}

charts/latest/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,10 @@ spec:
7676
- "powershell.exe"
7777
- "-c"
7878
- "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force"
79+
securityContext:
80+
capabilities:
81+
drop:
82+
- ALL
7983
containers:
8084
- name: node-driver-registrar
8185
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
@@ -103,6 +107,10 @@ spec:
103107
fieldPath: spec.nodeName
104108
imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }}
105109
resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }}
110+
securityContext:
111+
capabilities:
112+
drop:
113+
- ALL
106114
- name: azurefile
107115
{{- if hasPrefix "/" .Values.image.azurefile.repository }}
108116
image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp"
@@ -149,4 +157,8 @@ spec:
149157
fieldPath: spec.nodeName
150158
imagePullPolicy: {{ .Values.image.pullPolicy }}
151159
resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }}
160+
securityContext:
161+
capabilities:
162+
drop:
163+
- ALL
152164
{{- end -}}

charts/latest/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,10 @@ spec:
8080
value: unix://C:\\csi\\csi.sock
8181
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
8282
resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }}
83+
securityContext:
84+
capabilities:
85+
drop:
86+
- ALL
8387
- name: node-driver-registrar
8488
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
8589
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -118,6 +122,10 @@ spec:
118122
- name: registration-dir
119123
mountPath: C:\registration
120124
resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }}
125+
securityContext:
126+
capabilities:
127+
drop:
128+
- ALL
121129
- name: azurefile
122130
{{- if hasPrefix "/" .Values.image.azurefile.repository }}
123131
image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}"
@@ -193,6 +201,10 @@ spec:
193201
- name: csi-proxy-smb-pipe-v1beta1
194202
mountPath: \\.\pipe\csi-proxy-smb-v1beta1
195203
resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }}
204+
securityContext:
205+
capabilities:
206+
drop:
207+
- ALL
196208
volumes:
197209
- name: csi-proxy-fs-pipe-v1
198210
hostPath:

charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml

+11
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,10 @@ spec:
8282
- --v=2
8383
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
8484
resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }}
85+
securityContext:
86+
capabilities:
87+
drop:
88+
- ALL
8589
- name: node-driver-registrar
8690
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
8791
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -114,6 +118,10 @@ spec:
114118
- name: registration-dir
115119
mountPath: /registration
116120
resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }}
121+
securityContext:
122+
capabilities:
123+
drop:
124+
- ALL
117125
- name: azurefile
118126
{{- if hasPrefix "/" .Values.image.azurefile.repository }}
119127
image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}"
@@ -172,6 +180,9 @@ spec:
172180
imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }}
173181
securityContext:
174182
privileged: true
183+
capabilities:
184+
drop:
185+
- ALL
175186
volumeMounts:
176187
- mountPath: /csi
177188
name: socket-dir

charts/latest/azurefile-csi-driver/templates/csi-snapshot-controller.yaml

+4
Original file line numberDiff line numberDiff line change
@@ -71,4 +71,8 @@ spec:
7171
- "--leader-election-namespace={{ .Release.Namespace }}"
7272
resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }}
7373
imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }}
74+
securityContext:
75+
capabilities:
76+
drop:
77+
- ALL
7478
{{- end -}}

deploy/csi-azurefile-controller.yaml

+24
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,10 @@ spec:
5353
requests:
5454
cpu: 10m
5555
memory: 20Mi
56+
securityContext:
57+
capabilities:
58+
drop:
59+
- ALL
5660
- name: csi-attacher
5761
image: mcr.microsoft.com/oss/kubernetes-csi/csi-attacher:v4.3.0
5862
args:
@@ -75,6 +79,10 @@ spec:
7579
requests:
7680
cpu: 10m
7781
memory: 20Mi
82+
securityContext:
83+
capabilities:
84+
drop:
85+
- ALL
7886
- name: csi-snapshotter
7987
image: mcr.microsoft.com/oss/kubernetes-csi/csi-snapshotter:v6.2.1
8088
args:
@@ -94,6 +102,10 @@ spec:
94102
requests:
95103
cpu: 10m
96104
memory: 20Mi
105+
securityContext:
106+
capabilities:
107+
drop:
108+
- ALL
97109
- name: csi-resizer
98110
image: mcr.microsoft.com/oss/kubernetes-csi/csi-resizer:v1.8.0
99111
args:
@@ -116,6 +128,10 @@ spec:
116128
requests:
117129
cpu: 10m
118130
memory: 20Mi
131+
securityContext:
132+
capabilities:
133+
drop:
134+
- ALL
119135
- name: liveness-probe
120136
image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.10.0
121137
args:
@@ -132,6 +148,10 @@ spec:
132148
requests:
133149
cpu: 10m
134150
memory: 20Mi
151+
securityContext:
152+
capabilities:
153+
drop:
154+
- ALL
135155
- name: azurefile
136156
image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10
137157
imagePullPolicy: IfNotPresent
@@ -173,6 +193,10 @@ spec:
173193
requests:
174194
cpu: 10m
175195
memory: 20Mi
196+
securityContext:
197+
capabilities:
198+
drop:
199+
- ALL
176200
volumes:
177201
- name: socket-dir
178202
emptyDir: {}

deploy/csi-azurefile-node-windows-hostprocess.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,10 @@ spec:
4949
- "powershell.exe"
5050
- "-c"
5151
- "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force"
52+
securityContext:
53+
capabilities:
54+
drop:
55+
- ALL
5256
containers:
5357
- name: node-driver-registrar
5458
image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0
@@ -77,6 +81,10 @@ spec:
7781
requests:
7882
cpu: 30m
7983
memory: 40Mi
84+
securityContext:
85+
capabilities:
86+
drop:
87+
- ALL
8088
- name: azurefile
8189
image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10-windows-hp
8290
imagePullPolicy: IfNotPresent
@@ -108,3 +116,7 @@ spec:
108116
requests:
109117
cpu: 10m
110118
memory: 40Mi
119+
securityContext:
120+
capabilities:
121+
drop:
122+
- ALL

deploy/csi-azurefile-node-windows.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,10 @@ spec:
5757
requests:
5858
cpu: 10m
5959
memory: 40Mi
60+
securityContext:
61+
capabilities:
62+
drop:
63+
- ALL
6064
- name: node-driver-registrar
6165
image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0
6266
args:
@@ -93,6 +97,10 @@ spec:
9397
requests:
9498
cpu: 30m
9599
memory: 40Mi
100+
securityContext:
101+
capabilities:
102+
drop:
103+
- ALL
96104
- name: azurefile
97105
image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10
98106
imagePullPolicy: IfNotPresent
@@ -150,6 +158,10 @@ spec:
150158
requests:
151159
cpu: 10m
152160
memory: 40Mi
161+
securityContext:
162+
capabilities:
163+
drop:
164+
- ALL
153165
volumes:
154166
- name: csi-proxy-fs-pipe-v1
155167
hostPath:

deploy/csi-azurefile-node.yaml

+11
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,10 @@ spec:
5454
requests:
5555
cpu: 10m
5656
memory: 20Mi
57+
securityContext:
58+
capabilities:
59+
drop:
60+
- ALL
5761
- name: node-driver-registrar
5862
image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0
5963
args:
@@ -84,6 +88,10 @@ spec:
8488
requests:
8589
cpu: 10m
8690
memory: 20Mi
91+
securityContext:
92+
capabilities:
93+
drop:
94+
- ALL
8795
- name: azurefile
8896
image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10
8997
imagePullPolicy: IfNotPresent
@@ -117,6 +125,9 @@ spec:
117125
fieldPath: spec.nodeName
118126
securityContext:
119127
privileged: true
128+
capabilities:
129+
drop:
130+
- ALL
120131
volumeMounts:
121132
- mountPath: /csi
122133
name: socket-dir

deploy/csi-snapshot-controller.yaml

+4
Original file line numberDiff line numberDiff line change
@@ -53,3 +53,7 @@ spec:
5353
requests:
5454
cpu: 10m
5555
memory: 20Mi
56+
securityContext:
57+
capabilities:
58+
drop:
59+
- ALL

0 commit comments

Comments
 (0)