Skip to content

Commit 843511c

Browse files
authored
Merge pull request #1930 from umagnus/release-1.29-shield
[release-1.29] fix shield guard on csi controller and node
2 parents 164f4d3 + ee74a34 commit 843511c

11 files changed

+114
-0
lines changed
42 Bytes
Binary file not shown.

charts/latest/azurefile-csi-driver/templates/csi-azurefile-controller.yaml

+16
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,10 @@ spec:
104104
- name: socket-dir
105105
mountPath: /csi
106106
resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }}
107+
securityContext:
108+
capabilities:
109+
drop:
110+
- ALL
107111
- name: csi-resizer
108112
{{- if hasPrefix "/" .Values.image.csiResizer.repository }}
109113
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}"
@@ -126,6 +130,10 @@ spec:
126130
- name: socket-dir
127131
mountPath: /csi
128132
resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }}
133+
securityContext:
134+
capabilities:
135+
drop:
136+
- ALL
129137
- name: liveness-probe
130138
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
131139
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
@@ -146,6 +154,10 @@ spec:
146154
- name: socket-dir
147155
mountPath: /csi
148156
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
157+
securityContext:
158+
capabilities:
159+
drop:
160+
- ALL
149161
- name: azurefile
150162
{{- if hasPrefix "/" .Values.image.azurefile.repository }}
151163
image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}"
@@ -219,6 +231,10 @@ spec:
219231
readOnly: true
220232
{{- end }}
221233
resources: {{- toYaml .Values.controller.resources.azurefile | nindent 12 }}
234+
securityContext:
235+
capabilities:
236+
drop:
237+
- ALL
222238
volumes:
223239
- name: socket-dir
224240
emptyDir: {}

charts/latest/azurefile-csi-driver/templates/csi-azurefile-node-windows-hostprocess.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,10 @@ spec:
7676
- "powershell.exe"
7777
- "-c"
7878
- "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force"
79+
securityContext:
80+
capabilities:
81+
drop:
82+
- ALL
7983
containers:
8084
- name: node-driver-registrar
8185
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
@@ -103,6 +107,10 @@ spec:
103107
fieldPath: spec.nodeName
104108
imagePullPolicy: {{ .Values.image.nodeDriverRegistrar.pullPolicy }}
105109
resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }}
110+
securityContext:
111+
capabilities:
112+
drop:
113+
- ALL
106114
- name: azurefile
107115
{{- if hasPrefix "/" .Values.image.azurefile.repository }}
108116
image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}-windows-hp"
@@ -149,4 +157,8 @@ spec:
149157
fieldPath: spec.nodeName
150158
imagePullPolicy: {{ .Values.image.pullPolicy }}
151159
resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }}
160+
securityContext:
161+
capabilities:
162+
drop:
163+
- ALL
152164
{{- end -}}

charts/latest/azurefile-csi-driver/templates/csi-azurefile-node-windows.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,10 @@ spec:
8080
value: unix://C:\\csi\\csi.sock
8181
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
8282
resources: {{- toYaml .Values.windows.resources.livenessProbe | nindent 12 }}
83+
securityContext:
84+
capabilities:
85+
drop:
86+
- ALL
8387
- name: node-driver-registrar
8488
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
8589
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -118,6 +122,10 @@ spec:
118122
- name: registration-dir
119123
mountPath: C:\registration
120124
resources: {{- toYaml .Values.windows.resources.nodeDriverRegistrar | nindent 12 }}
125+
securityContext:
126+
capabilities:
127+
drop:
128+
- ALL
121129
- name: azurefile
122130
{{- if hasPrefix "/" .Values.image.azurefile.repository }}
123131
image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}"
@@ -193,6 +201,10 @@ spec:
193201
- name: csi-proxy-smb-pipe-v1beta1
194202
mountPath: \\.\pipe\csi-proxy-smb-v1beta1
195203
resources: {{- toYaml .Values.windows.resources.azurefile | nindent 12 }}
204+
securityContext:
205+
capabilities:
206+
drop:
207+
- ALL
196208
volumes:
197209
- name: csi-proxy-fs-pipe-v1
198210
hostPath:

charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml

+11
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,10 @@ spec:
8282
- --v=2
8383
imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
8484
resources: {{- toYaml .Values.linux.resources.livenessProbe | nindent 12 }}
85+
securityContext:
86+
capabilities:
87+
drop:
88+
- ALL
8589
- name: node-driver-registrar
8690
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
8791
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -114,6 +118,10 @@ spec:
114118
- name: registration-dir
115119
mountPath: /registration
116120
resources: {{- toYaml .Values.linux.resources.nodeDriverRegistrar | nindent 12 }}
121+
securityContext:
122+
capabilities:
123+
drop:
124+
- ALL
117125
- name: azurefile
118126
{{- if hasPrefix "/" .Values.image.azurefile.repository }}
119127
image: "{{ .Values.image.baseRepo }}{{ .Values.image.azurefile.repository }}:{{ .Values.image.azurefile.tag }}"
@@ -172,6 +180,9 @@ spec:
172180
imagePullPolicy: {{ .Values.image.azurefile.pullPolicy }}
173181
securityContext:
174182
privileged: true
183+
capabilities:
184+
drop:
185+
- ALL
175186
volumeMounts:
176187
- mountPath: /csi
177188
name: socket-dir

charts/latest/azurefile-csi-driver/templates/csi-snapshot-controller.yaml

+4
Original file line numberDiff line numberDiff line change
@@ -71,4 +71,8 @@ spec:
7171
- "--leader-election-namespace={{ .Release.Namespace }}"
7272
resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }}
7373
imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }}
74+
securityContext:
75+
capabilities:
76+
drop:
77+
- ALL
7478
{{- end -}}

deploy/csi-azurefile-controller.yaml

+20
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,10 @@ spec:
5454
requests:
5555
cpu: 10m
5656
memory: 20Mi
57+
securityContext:
58+
capabilities:
59+
drop:
60+
- ALL
5761
- name: csi-snapshotter
5862
image: mcr.microsoft.com/oss/kubernetes-csi/csi-snapshotter:v6.3.1
5963
args:
@@ -73,6 +77,10 @@ spec:
7377
requests:
7478
cpu: 10m
7579
memory: 20Mi
80+
securityContext:
81+
capabilities:
82+
drop:
83+
- ALL
7684
- name: csi-resizer
7785
image: mcr.microsoft.com/oss/kubernetes-csi/csi-resizer:v1.8.0
7886
args:
@@ -95,6 +103,10 @@ spec:
95103
requests:
96104
cpu: 10m
97105
memory: 20Mi
106+
securityContext:
107+
capabilities:
108+
drop:
109+
- ALL
98110
- name: liveness-probe
99111
image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.10.0
100112
args:
@@ -111,6 +123,10 @@ spec:
111123
requests:
112124
cpu: 10m
113125
memory: 20Mi
126+
securityContext:
127+
capabilities:
128+
drop:
129+
- ALL
114130
- name: azurefile
115131
image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.29.5
116132
imagePullPolicy: IfNotPresent
@@ -152,6 +168,10 @@ spec:
152168
requests:
153169
cpu: 10m
154170
memory: 20Mi
171+
securityContext:
172+
capabilities:
173+
drop:
174+
- ALL
155175
volumes:
156176
- name: socket-dir
157177
emptyDir: {}

deploy/csi-azurefile-node-windows-hostprocess.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,10 @@ spec:
4949
- "powershell.exe"
5050
- "-c"
5151
- "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\file.csi.azure.com\\ -Force"
52+
securityContext:
53+
capabilities:
54+
drop:
55+
- ALL
5256
containers:
5357
- name: node-driver-registrar
5458
image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0
@@ -77,6 +81,10 @@ spec:
7781
requests:
7882
cpu: 30m
7983
memory: 40Mi
84+
securityContext:
85+
capabilities:
86+
drop:
87+
- ALL
8088
- name: azurefile
8189
image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.29.5-windows-hp
8290
imagePullPolicy: IfNotPresent
@@ -108,3 +116,7 @@ spec:
108116
requests:
109117
cpu: 10m
110118
memory: 40Mi
119+
securityContext:
120+
capabilities:
121+
drop:
122+
- ALL

deploy/csi-azurefile-node-windows.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,10 @@ spec:
5757
requests:
5858
cpu: 10m
5959
memory: 40Mi
60+
securityContext:
61+
capabilities:
62+
drop:
63+
- ALL
6064
- name: node-driver-registrar
6165
image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0
6266
args:
@@ -93,6 +97,10 @@ spec:
9397
requests:
9498
cpu: 30m
9599
memory: 40Mi
100+
securityContext:
101+
capabilities:
102+
drop:
103+
- ALL
96104
- name: azurefile
97105
image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.29.5
98106
imagePullPolicy: IfNotPresent
@@ -150,6 +158,10 @@ spec:
150158
requests:
151159
cpu: 10m
152160
memory: 40Mi
161+
securityContext:
162+
capabilities:
163+
drop:
164+
- ALL
153165
volumes:
154166
- name: csi-proxy-fs-pipe-v1
155167
hostPath:

deploy/csi-azurefile-node.yaml

+11
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,10 @@ spec:
5454
requests:
5555
cpu: 10m
5656
memory: 20Mi
57+
securityContext:
58+
capabilities:
59+
drop:
60+
- ALL
5761
- name: node-driver-registrar
5862
image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0
5963
args:
@@ -84,6 +88,10 @@ spec:
8488
requests:
8589
cpu: 10m
8690
memory: 20Mi
91+
securityContext:
92+
capabilities:
93+
drop:
94+
- ALL
8795
- name: azurefile
8896
image: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.29.5
8997
imagePullPolicy: IfNotPresent
@@ -117,6 +125,9 @@ spec:
117125
fieldPath: spec.nodeName
118126
securityContext:
119127
privileged: true
128+
capabilities:
129+
drop:
130+
- ALL
120131
volumeMounts:
121132
- mountPath: /csi
122133
name: socket-dir

deploy/csi-snapshot-controller.yaml

+4
Original file line numberDiff line numberDiff line change
@@ -53,3 +53,7 @@ spec:
5353
requests:
5454
cpu: 10m
5555
memory: 20Mi
56+
securityContext:
57+
capabilities:
58+
drop:
59+
- ALL

0 commit comments

Comments
 (0)