Skip to content

Commit e83c009

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #695 from umagnus/node-security-context
fix: shield guard issue on CSI node
2 parents 8b3e820 + 75586fb commit e83c009

File tree

9 files changed

+57
-0
lines changed

9 files changed

+57
-0
lines changed

charts/latest/csi-driver-nfs-v0.0.0.tgz

1 Byte
Binary file not shown.

charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,9 @@ spec:
6161
resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
6262
securityContext:
6363
readOnlyRootFilesystem: true
64+
capabilities:
65+
drop:
66+
- ALL
6467
- name: node-driver-registrar
6568
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
6669
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -93,11 +96,17 @@ spec:
9396
- name: registration-dir
9497
mountPath: /registration
9598
resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }}
99+
securityContext:
100+
capabilities:
101+
drop:
102+
- ALL
96103
- name: nfs
97104
securityContext:
98105
privileged: true
99106
capabilities:
100107
add: ["SYS_ADMIN"]
108+
drop:
109+
- ALL
101110
allowPrivilegeEscalation: true
102111
readOnlyRootFilesystem: true
103112
{{- if hasPrefix "/" .Values.image.nfs.repository }}

charts/v4.6.0/csi-driver-nfs-v4.6.0.tgz

1 Byte
Binary file not shown.

charts/v4.6.0/csi-driver-nfs/templates/csi-nfs-node.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,9 @@ spec:
6161
resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
6262
securityContext:
6363
readOnlyRootFilesystem: true
64+
capabilities:
65+
drop:
66+
- ALL
6467
- name: node-driver-registrar
6568
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
6669
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -93,11 +96,17 @@ spec:
9396
- name: registration-dir
9497
mountPath: /registration
9598
resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }}
99+
securityContext:
100+
capabilities:
101+
drop:
102+
- ALL
96103
- name: nfs
97104
securityContext:
98105
privileged: true
99106
capabilities:
100107
add: ["SYS_ADMIN"]
108+
drop:
109+
- ALL
101110
allowPrivilegeEscalation: true
102111
readOnlyRootFilesystem: true
103112
{{- if hasPrefix "/" .Values.image.nfs.repository }}

charts/v4.7.0/csi-driver-nfs-v4.7.0.tgz

4 Bytes
Binary file not shown.

charts/v4.7.0/csi-driver-nfs/templates/csi-nfs-node.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,9 @@ spec:
6161
resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
6262
securityContext:
6363
readOnlyRootFilesystem: true
64+
capabilities:
65+
drop:
66+
- ALL
6467
- name: node-driver-registrar
6568
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
6669
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -93,11 +96,17 @@ spec:
9396
- name: registration-dir
9497
mountPath: /registration
9598
resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }}
99+
securityContext:
100+
capabilities:
101+
drop:
102+
- ALL
96103
- name: nfs
97104
securityContext:
98105
privileged: true
99106
capabilities:
100107
add: ["SYS_ADMIN"]
108+
drop:
109+
- ALL
101110
allowPrivilegeEscalation: true
102111
readOnlyRootFilesystem: true
103112
{{- if hasPrefix "/" .Values.image.nfs.repository }}

deploy/csi-nfs-node.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,10 @@ spec:
4545
requests:
4646
cpu: 10m
4747
memory: 20Mi
48+
securityContext:
49+
capabilities:
50+
drop:
51+
- ALL
4852
- name: node-driver-registrar
4953
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
5054
args:
@@ -77,11 +81,17 @@ spec:
7781
requests:
7882
cpu: 10m
7983
memory: 20Mi
84+
securityContext:
85+
capabilities:
86+
drop:
87+
- ALL
8088
- name: nfs
8189
securityContext:
8290
privileged: true
8391
capabilities:
8492
add: ["SYS_ADMIN"]
93+
drop:
94+
- ALL
8595
allowPrivilegeEscalation: true
8696
image: gcr.io/k8s-staging-sig-storage/nfsplugin:canary
8797
args:

deploy/v4.6.0/csi-nfs-node.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,10 @@ spec:
4545
requests:
4646
cpu: 10m
4747
memory: 20Mi
48+
securityContext:
49+
capabilities:
50+
drop:
51+
- ALL
4852
- name: node-driver-registrar
4953
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
5054
args:
@@ -77,11 +81,17 @@ spec:
7781
requests:
7882
cpu: 10m
7983
memory: 20Mi
84+
securityContext:
85+
capabilities:
86+
drop:
87+
- ALL
8088
- name: nfs
8189
securityContext:
8290
privileged: true
8391
capabilities:
8492
add: ["SYS_ADMIN"]
93+
drop:
94+
- ALL
8595
allowPrivilegeEscalation: true
8696
image: registry.k8s.io/sig-storage/nfsplugin:v4.6.0
8797
args:

deploy/v4.7.0/csi-nfs-node.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,10 @@ spec:
4545
requests:
4646
cpu: 10m
4747
memory: 20Mi
48+
securityContext:
49+
capabilities:
50+
drop:
51+
- ALL
4852
- name: node-driver-registrar
4953
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
5054
args:
@@ -77,11 +81,17 @@ spec:
7781
requests:
7882
cpu: 10m
7983
memory: 20Mi
84+
securityContext:
85+
capabilities:
86+
drop:
87+
- ALL
8088
- name: nfs
8189
securityContext:
8290
privileged: true
8391
capabilities:
8492
add: ["SYS_ADMIN"]
93+
drop:
94+
- ALL
8595
allowPrivilegeEscalation: true
8696
image: registry.k8s.io/sig-storage/nfsplugin:v4.7.0
8797
args:

0 commit comments

Comments
 (0)