Skip to content

Commit

Permalink
Merge pull request #689 from umagnus/security-context
Browse files Browse the repository at this point in the history 
fix: shield guard issues
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot committed Jun 17, 2024
2 parents e8db1cb + f3a098a commit 198bf7a
Show file tree
Hide file tree
Showing 14 changed files with 98 additions and 0 deletions.
Binary file modified charts/latest/csi-driver-nfs-v0.0.0.tgz
View file
Binary file not shown.
12 changes: 12 additions & 0 deletions charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,9 @@ spec:
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: csi-snapshotter
{{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}"
Expand All @@ -91,6 +94,10 @@ spec:
volumeMounts:
- name: socket-dir
mountPath: /csi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
Expand All @@ -109,6 +116,9 @@ spec:
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: nfs
{{- if hasPrefix "/" .Values.image.nfs.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
Expand All @@ -119,6 +129,8 @@ spec:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
args:
Expand Down
4 changes: 4 additions & 0 deletions charts/latest/csi-driver-nfs/templates/csi-snapshot-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,4 +67,8 @@ spec:
- "--leader-election-namespace={{ .Release.Namespace }}"
resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }}
imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }}
securityContext:
capabilities:
drop:
- ALL
{{- end -}}
Binary file modified charts/v4.6.0/csi-driver-nfs-v4.6.0.tgz
View file
Binary file not shown.
12 changes: 12 additions & 0 deletions charts/v4.6.0/csi-driver-nfs/templates/csi-nfs-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,9 @@ spec:
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: csi-snapshotter
{{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}"
Expand All @@ -91,6 +94,10 @@ spec:
volumeMounts:
- name: socket-dir
mountPath: /csi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
Expand All @@ -109,6 +116,9 @@ spec:
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: nfs
{{- if hasPrefix "/" .Values.image.nfs.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
Expand All @@ -119,6 +129,8 @@ spec:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
args:
Expand Down
4 changes: 4 additions & 0 deletions charts/v4.6.0/csi-driver-nfs/templates/csi-snapshot-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,4 +67,8 @@ spec:
- "--leader-election-namespace={{ .Release.Namespace }}"
resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }}
imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }}
securityContext:
capabilities:
drop:
- ALL
{{- end -}}
Binary file modified charts/v4.7.0/csi-driver-nfs-v4.7.0.tgz
View file
Binary file not shown.
12 changes: 12 additions & 0 deletions charts/v4.7.0/csi-driver-nfs/templates/csi-nfs-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,9 @@ spec:
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: csi-snapshotter
{{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}"
Expand All @@ -91,6 +94,10 @@ spec:
volumeMounts:
- name: socket-dir
mountPath: /csi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
Expand All @@ -109,6 +116,9 @@ spec:
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: nfs
{{- if hasPrefix "/" .Values.image.nfs.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
Expand All @@ -119,6 +129,8 @@ spec:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
args:
Expand Down
4 changes: 4 additions & 0 deletions charts/v4.7.0/csi-driver-nfs/templates/csi-snapshot-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,4 +67,8 @@ spec:
- "--leader-election-namespace={{ .Release.Namespace }}"
resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }}
imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }}
securityContext:
capabilities:
drop:
- ALL
{{- end -}}
14 changes: 14 additions & 0 deletions deploy/csi-nfs-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: csi-snapshotter
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3
args:
Expand All @@ -76,6 +80,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
args:
Expand All @@ -92,12 +100,18 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: nfs
image: gcr.io/k8s-staging-sig-storage/nfsplugin:canary
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true
imagePullPolicy: IfNotPresent
args:
Expand Down
14 changes: 14 additions & 0 deletions deploy/v4.6.0/csi-nfs-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: csi-snapshotter
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3
args:
Expand All @@ -76,6 +80,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
args:
Expand All @@ -92,12 +100,18 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: nfs
image: registry.k8s.io/sig-storage/nfsplugin:v4.6.0
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true
imagePullPolicy: IfNotPresent
args:
Expand Down
4 changes: 4 additions & 0 deletions deploy/v4.6.0/csi-snapshot-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,7 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
14 changes: 14 additions & 0 deletions deploy/v4.7.0/csi-nfs-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: csi-snapshotter
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3
args:
Expand All @@ -76,6 +80,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
args:
Expand All @@ -92,12 +100,18 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: nfs
image: registry.k8s.io/sig-storage/nfsplugin:v4.7.0
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true
imagePullPolicy: IfNotPresent
args:
Expand Down
4 changes: 4 additions & 0 deletions deploy/v4.7.0/csi-snapshot-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,7 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL

0 comments on commit 198bf7a

Please sign in to comment.