Skip to content

Commit

Permalink
Merge pull request #2354 from umagnus/security-context
Browse files Browse the repository at this point in the history 
fix: shield guard issues
  • Loading branch information
@andyzhangx
andyzhangx committed Jun 19, 2024
2 parents ef2f12a + 9eb5169 commit 01ebda0
Show file tree
Hide file tree
Showing 15 changed files with 180 additions and 0 deletions.
Binary file modified charts/latest/azuredisk-csi-driver-v0.0.0.tgz
View file
Binary file not shown.
28 changes: 28 additions & 0 deletions charts/latest/azuredisk-csi-driver/templates/csi-azuredisk-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,10 @@ spec:
- mountPath: /csi
name: socket-dir
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: csi-attacher
{{- if hasPrefix "/" .Values.image.csiAttacher.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiAttacher.repository }}:{{ .Values.image.csiAttacher.tag }}"
Expand All @@ -109,6 +113,10 @@ spec:
- mountPath: /csi
name: socket-dir
resources: {{- toYaml .Values.controller.resources.csiAttacher | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: csi-snapshotter
{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}"
Expand All @@ -128,6 +136,10 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: csi-resizer
{{- if hasPrefix "/" .Values.image.csiResizer.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}"
Expand All @@ -149,6 +161,10 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
Expand All @@ -168,6 +184,10 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
{{- if eq .Values.controller.enableTrafficManager true }}
- image: mcr.microsoft.com/aks/ccp/ccp-auto-thrust:master.221118.2
imagePullPolicy: IfNotPresent
Expand All @@ -179,6 +199,10 @@ spec:
ports:
- containerPort: {{ .Values.controller.trafficManagerPort }}
protocol: TCP
securityContext:
capabilities:
drop:
- ALL
{{- end }}
- name: azuredisk
{{- if hasPrefix "/" .Values.image.azuredisk.repository }}
Expand Down Expand Up @@ -281,6 +305,10 @@ spec:
readOnly: true
{{- end }}
resources: {{- toYaml .Values.controller.resources.azuredisk | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: socket-dir
emptyDir: {}
Expand Down
4 changes: 4 additions & 0 deletions charts/latest/azuredisk-csi-driver/templates/csi-snapshot-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ spec:
- "--leader-election-namespace={{ .Release.Namespace }}"
resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }}
imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }}
securityContext:
capabilities:
drop:
- ALL

---
{{- if .Values.snapshot.VolumeSnapshotClass.enabled -}}
Expand Down
Binary file modified charts/v1.29.5/azuredisk-csi-driver-v1.29.5.tgz
View file
Binary file not shown.
28 changes: 28 additions & 0 deletions charts/v1.29.5/azuredisk-csi-driver/templates/csi-azuredisk-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,10 @@ spec:
- mountPath: /csi
name: socket-dir
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: csi-attacher
{{- if hasPrefix "/" .Values.image.csiAttacher.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiAttacher.repository }}:{{ .Values.image.csiAttacher.tag }}"
Expand All @@ -109,6 +113,10 @@ spec:
- mountPath: /csi
name: socket-dir
resources: {{- toYaml .Values.controller.resources.csiAttacher | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: csi-snapshotter
{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}"
Expand All @@ -128,6 +136,10 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: csi-resizer
{{- if hasPrefix "/" .Values.image.csiResizer.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}"
Expand All @@ -149,6 +161,10 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
Expand All @@ -168,6 +184,10 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
{{- if eq .Values.controller.enableTrafficManager true }}
- image: mcr.microsoft.com/aks/ccp/ccp-auto-thrust:master.221118.2
imagePullPolicy: IfNotPresent
Expand All @@ -179,6 +199,10 @@ spec:
ports:
- containerPort: {{ .Values.controller.trafficManagerPort }}
protocol: TCP
securityContext:
capabilities:
drop:
- ALL
{{- end }}
- name: azuredisk
{{- if hasPrefix "/" .Values.image.azuredisk.repository }}
Expand Down Expand Up @@ -278,6 +302,10 @@ spec:
readOnly: true
{{- end }}
resources: {{- toYaml .Values.controller.resources.azuredisk | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: socket-dir
emptyDir: {}
Expand Down
4 changes: 4 additions & 0 deletions charts/v1.29.5/azuredisk-csi-driver/templates/csi-snapshot-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ spec:
- "--leader-election-namespace={{ .Release.Namespace }}"
resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }}
imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }}
securityContext:
capabilities:
drop:
- ALL

---
{{- if .Values.snapshot.VolumeSnapshotClass.enabled -}}
Expand Down
Binary file modified charts/v1.30.1/azuredisk-csi-driver-v1.30.1.tgz
View file
Binary file not shown.
28 changes: 28 additions & 0 deletions charts/v1.30.1/azuredisk-csi-driver/templates/csi-azuredisk-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,10 @@ spec:
- mountPath: /csi
name: socket-dir
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: csi-attacher
{{- if hasPrefix "/" .Values.image.csiAttacher.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiAttacher.repository }}:{{ .Values.image.csiAttacher.tag }}"
Expand All @@ -109,6 +113,10 @@ spec:
- mountPath: /csi
name: socket-dir
resources: {{- toYaml .Values.controller.resources.csiAttacher | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: csi-snapshotter
{{- if hasPrefix "/" .Values.snapshot.image.csiSnapshotter.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.snapshot.image.csiSnapshotter.repository }}:{{ .Values.snapshot.image.csiSnapshotter.tag }}"
Expand All @@ -128,6 +136,10 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.csiSnapshotter | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: csi-resizer
{{- if hasPrefix "/" .Values.image.csiResizer.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}"
Expand All @@ -149,6 +161,10 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
Expand All @@ -168,6 +184,10 @@ spec:
- name: socket-dir
mountPath: /csi
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
{{- if eq .Values.controller.enableTrafficManager true }}
- image: mcr.microsoft.com/aks/ccp/ccp-auto-thrust:master.221118.2
imagePullPolicy: IfNotPresent
Expand All @@ -179,6 +199,10 @@ spec:
ports:
- containerPort: {{ .Values.controller.trafficManagerPort }}
protocol: TCP
securityContext:
capabilities:
drop:
- ALL
{{- end }}
- name: azuredisk
{{- if hasPrefix "/" .Values.image.azuredisk.repository }}
Expand Down Expand Up @@ -281,6 +305,10 @@ spec:
readOnly: true
{{- end }}
resources: {{- toYaml .Values.controller.resources.azuredisk | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: socket-dir
emptyDir: {}
Expand Down
4 changes: 4 additions & 0 deletions charts/v1.30.1/azuredisk-csi-driver/templates/csi-snapshot-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ spec:
- "--leader-election-namespace={{ .Release.Namespace }}"
resources: {{- toYaml .Values.snapshot.snapshotController.resources | nindent 12 }}
imagePullPolicy: {{ .Values.snapshot.image.csiSnapshotController.pullPolicy }}
securityContext:
capabilities:
drop:
- ALL

---
{{- if .Values.snapshot.VolumeSnapshotClass.enabled -}}
Expand Down
24 changes: 24 additions & 0 deletions deploy/csi-azuredisk-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: csi-attacher
image: mcr.microsoft.com/oss/kubernetes-csi/csi-attacher:v4.5.1
args:
Expand All @@ -82,6 +86,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: csi-snapshotter
image: mcr.microsoft.com/oss/kubernetes-csi/csi-snapshotter:v7.0.2
args:
Expand All @@ -102,6 +110,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: csi-resizer
image: mcr.microsoft.com/oss/kubernetes-csi/csi-resizer:v1.10.1
args:
Expand All @@ -124,6 +136,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.12.0
args:
Expand All @@ -140,6 +156,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: azuredisk
image: mcr.microsoft.com/k8s/csi/azuredisk-csi:latest
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -183,6 +203,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: socket-dir
emptyDir: {}
Expand Down
4 changes: 4 additions & 0 deletions deploy/csi-snapshot-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,7 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
Loading

0 comments on commit 01ebda0

Please sign in to comment.