Merge pull request #689 from umagnus/security-context
fix: shield guard issues
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
198bf7abbc
Binary file not shown.
@ -71,6 +71,9 @@ spec:
|
|||||||
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
|
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: csi-snapshotter
|
- name: csi-snapshotter
|
||||||
{{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }}
|
{{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }}
|
||||||
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}"
|
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}"
|
||||||
@ -91,6 +94,10 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: socket-dir
|
- name: socket-dir
|
||||||
mountPath: /csi
|
mountPath: /csi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: liveness-probe
|
- name: liveness-probe
|
||||||
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
|
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
|
||||||
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
|
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
|
||||||
@ -109,6 +116,9 @@ spec:
|
|||||||
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
|
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: nfs
|
- name: nfs
|
||||||
{{- if hasPrefix "/" .Values.image.nfs.repository }}
|
{{- if hasPrefix "/" .Values.image.nfs.repository }}
|
||||||
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
|
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
|
||||||
@ -119,6 +129,8 @@ spec:
|
|||||||
privileged: true
|
privileged: true
|
||||||
capabilities:
|
capabilities:
|
||||||
add: ["SYS_ADMIN"]
|
add: ["SYS_ADMIN"]
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
allowPrivilegeEscalation: true
|
allowPrivilegeEscalation: true
|
||||||
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
|
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
|
||||||
args:
|
args:
|
||||||
|
|||||||
@ -67,4 +67,8 @@ spec:
|
|||||||
- "--leader-election-namespace={{ .Release.Namespace }}"
|
- "--leader-election-namespace={{ .Release.Namespace }}"
|
||||||
resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }}
|
resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }}
|
||||||
imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }}
|
imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }}
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|||||||
Binary file not shown.
@ -71,6 +71,9 @@ spec:
|
|||||||
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
|
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: csi-snapshotter
|
- name: csi-snapshotter
|
||||||
{{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }}
|
{{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }}
|
||||||
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}"
|
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}"
|
||||||
@ -91,6 +94,10 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: socket-dir
|
- name: socket-dir
|
||||||
mountPath: /csi
|
mountPath: /csi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: liveness-probe
|
- name: liveness-probe
|
||||||
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
|
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
|
||||||
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
|
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
|
||||||
@ -109,6 +116,9 @@ spec:
|
|||||||
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
|
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: nfs
|
- name: nfs
|
||||||
{{- if hasPrefix "/" .Values.image.nfs.repository }}
|
{{- if hasPrefix "/" .Values.image.nfs.repository }}
|
||||||
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
|
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
|
||||||
@ -119,6 +129,8 @@ spec:
|
|||||||
privileged: true
|
privileged: true
|
||||||
capabilities:
|
capabilities:
|
||||||
add: ["SYS_ADMIN"]
|
add: ["SYS_ADMIN"]
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
allowPrivilegeEscalation: true
|
allowPrivilegeEscalation: true
|
||||||
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
|
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
|
||||||
args:
|
args:
|
||||||
|
|||||||
@ -67,4 +67,8 @@ spec:
|
|||||||
- "--leader-election-namespace={{ .Release.Namespace }}"
|
- "--leader-election-namespace={{ .Release.Namespace }}"
|
||||||
resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }}
|
resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }}
|
||||||
imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }}
|
imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }}
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|||||||
Binary file not shown.
@ -71,6 +71,9 @@ spec:
|
|||||||
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
|
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: csi-snapshotter
|
- name: csi-snapshotter
|
||||||
{{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }}
|
{{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }}
|
||||||
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}"
|
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}"
|
||||||
@ -91,6 +94,10 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: socket-dir
|
- name: socket-dir
|
||||||
mountPath: /csi
|
mountPath: /csi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: liveness-probe
|
- name: liveness-probe
|
||||||
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
|
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
|
||||||
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
|
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
|
||||||
@ -109,6 +116,9 @@ spec:
|
|||||||
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
|
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: nfs
|
- name: nfs
|
||||||
{{- if hasPrefix "/" .Values.image.nfs.repository }}
|
{{- if hasPrefix "/" .Values.image.nfs.repository }}
|
||||||
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
|
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
|
||||||
@ -119,6 +129,8 @@ spec:
|
|||||||
privileged: true
|
privileged: true
|
||||||
capabilities:
|
capabilities:
|
||||||
add: ["SYS_ADMIN"]
|
add: ["SYS_ADMIN"]
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
allowPrivilegeEscalation: true
|
allowPrivilegeEscalation: true
|
||||||
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
|
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
|
||||||
args:
|
args:
|
||||||
|
|||||||
@ -67,4 +67,8 @@ spec:
|
|||||||
- "--leader-election-namespace={{ .Release.Namespace }}"
|
- "--leader-election-namespace={{ .Release.Namespace }}"
|
||||||
resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }}
|
resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }}
|
||||||
imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }}
|
imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }}
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|||||||
@ -55,6 +55,10 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: csi-snapshotter
|
- name: csi-snapshotter
|
||||||
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3
|
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3
|
||||||
args:
|
args:
|
||||||
@ -76,6 +80,10 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: liveness-probe
|
- name: liveness-probe
|
||||||
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
|
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
|
||||||
args:
|
args:
|
||||||
@ -92,12 +100,18 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: nfs
|
- name: nfs
|
||||||
image: gcr.io/k8s-staging-sig-storage/nfsplugin:canary
|
image: gcr.io/k8s-staging-sig-storage/nfsplugin:canary
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
capabilities:
|
capabilities:
|
||||||
add: ["SYS_ADMIN"]
|
add: ["SYS_ADMIN"]
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
allowPrivilegeEscalation: true
|
allowPrivilegeEscalation: true
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
args:
|
args:
|
||||||
|
|||||||
@ -55,6 +55,10 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: csi-snapshotter
|
- name: csi-snapshotter
|
||||||
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3
|
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3
|
||||||
args:
|
args:
|
||||||
@ -76,6 +80,10 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: liveness-probe
|
- name: liveness-probe
|
||||||
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
|
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
|
||||||
args:
|
args:
|
||||||
@ -92,12 +100,18 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: nfs
|
- name: nfs
|
||||||
image: registry.k8s.io/sig-storage/nfsplugin:v4.6.0
|
image: registry.k8s.io/sig-storage/nfsplugin:v4.6.0
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
capabilities:
|
capabilities:
|
||||||
add: ["SYS_ADMIN"]
|
add: ["SYS_ADMIN"]
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
allowPrivilegeEscalation: true
|
allowPrivilegeEscalation: true
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
args:
|
args:
|
||||||
|
|||||||
@ -63,3 +63,7 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
|||||||
@ -55,6 +55,10 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: csi-snapshotter
|
- name: csi-snapshotter
|
||||||
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3
|
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3
|
||||||
args:
|
args:
|
||||||
@ -76,6 +80,10 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: liveness-probe
|
- name: liveness-probe
|
||||||
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
|
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
|
||||||
args:
|
args:
|
||||||
@ -92,12 +100,18 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
- name: nfs
|
- name: nfs
|
||||||
image: registry.k8s.io/sig-storage/nfsplugin:v4.7.0
|
image: registry.k8s.io/sig-storage/nfsplugin:v4.7.0
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
capabilities:
|
capabilities:
|
||||||
add: ["SYS_ADMIN"]
|
add: ["SYS_ADMIN"]
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
allowPrivilegeEscalation: true
|
allowPrivilegeEscalation: true
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
args:
|
args:
|
||||||
|
|||||||
@ -63,3 +63,7 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user