Patch k8scsi sidecars for CVE-2019-11255

Changes:
- Update container image versions that have resolve the CVE according to
[kubernetes/kubernetes/issues/85233](kubernetes/kubernetes#85233)
- Update snapshotter RBAC policy
- Update resizer RBAC policy
- Updates external-provisioner RBAC policy for v1.3.1 image
- Update helm charts with updated RBAC policy

ref: #411

aws-ebs-csi-driver/templates/manifest.yaml

@@ -24,6 +24,12 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["get", "list"]
   - apiGroups: ["storage.k8s.io"]
     resources: ["csinodes"]
     verbs: ["get", "list", "watch"]
@@ -116,6 +122,9 @@ rules:
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshots"]
     verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots/status"]
+    verbs: ["update"]
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
     verbs: ["create", "list", "watch", "delete"]

aws-ebs-csi-driver/values.yaml

@@ -12,19 +12,19 @@ image:
 sidecars:
   provisionerImage:
     repository: quay.io/k8scsi/csi-provisioner
-    tag: "v1.3.0"
+    tag: "v1.3.1"
   attacherImage:
     repository: quay.io/k8scsi/csi-attacher
     tag: "v1.2.0"
   snapshotterImage:
     repository: quay.io/k8scsi/csi-snapshotter
-    tag: "v1.1.0"
+    tag: "v1.2.2"
   livenessProbeImage:
     repository: quay.io/k8scsi/livenessprobe
     tag: "v1.1.0"
   resizerImage:
     repository: quay.io/k8scsi/csi-resizer
-    tag: "v0.2.0"
+    tag: "v0.3.0"
   nodeDriverRegistrarImage:
     repository: quay.io/k8scsi/csi-node-driver-registrar
     tag: "v1.1.0"

deploy/kubernetes/base/controller.yaml

@@ -60,7 +60,7 @@ spec:
             periodSeconds: 10
             failureThreshold: 5
         - name: csi-provisioner
-          image: quay.io/k8scsi/csi-provisioner:v1.3.0
+          image: quay.io/k8scsi/csi-provisioner:v1.3.1
           args:
             - --csi-address=$(ADDRESS)
             - --v=5

deploy/kubernetes/base/rbac.yaml

@@ -26,6 +26,12 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["get", "list"]
   - apiGroups: ["storage.k8s.io"]
     resources: ["csinodes"]
     verbs: ["get", "list", "watch"]

deploy/kubernetes/overlays/alpha/controller_add_resizer.yaml

@@ -8,7 +8,7 @@ spec:
     spec:
       containers:
         - name: csi-resizer
-          image: quay.io/k8scsi/csi-resizer:v0.2.0
+          image: quay.io/k8scsi/csi-resizer:v0.3.0
           args:
             - --csi-address=$(ADDRESS)
             - --v=5

deploy/kubernetes/overlays/alpha/controller_add_snapshotter.yaml

@@ -8,7 +8,7 @@ spec:
     spec:
       containers:
         - name: csi-snapshotter
-          image: quay.io/k8scsi/csi-snapshotter:v1.1.0
+          image: quay.io/k8scsi/csi-snapshotter:v1.2.2
           args:
             - --csi-address=$(ADDRESS)
             - --connection-timeout=15s

deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml

@@ -29,6 +29,9 @@ rules:
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshots"]
     verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots/status"]
+    verbs: ["update"]
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
     verbs: ["create", "list", "watch", "delete"]