kubernetes-csi/csi-driver-nfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #256 from andyzhangx/libgmp10

Browse Source 
fix: CVE-2021-43618 in Ubuntu image
This commit is contained in:
Andy Zhang 2021-12-21 16:27:51 +08:00 committed by GitHub
commit 532b0a9435
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 49 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.github/workflows/pluto.yaml vendored Normal file
View File

@ -0,0 +1,26 @@
name: k8s api version check
on:
pull_request: {}
push: {}
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
# https://pluto.docs.fairwinds.com/advanced/#display-options
- name: Download pluto
uses: FairwindsOps/pluto/github-action@master
- name: Check deploy folder
run: |
pluto detect-files -d deploy
- name: Check example folder
run: |
pluto detect-files -d deploy/example

2
Dockerfile
View File

@ -23,6 +23,6 @@ COPY bin/${ARCH}/nfsplugin /nfsplugin
RUN apt update && apt-mark unhold libcap2 RUN apt update && apt-mark unhold libcap2
RUN clean-install ca-certificates mount nfs-common netbase RUN clean-install ca-certificates mount nfs-common netbase
# install updated packages to fix CVE issues # install updated packages to fix CVE issues
RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libgmp10
ENTRYPOINT ["/nfsplugin"] ENTRYPOINT ["/nfsplugin"]

2
charts/README.md
View File

@ -38,6 +38,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv
| Parameter | Description | Default | | Parameter | Description | Default |
|---------------------------------------------------|------------------------------------------------------------|-------------------------------------------------------------------| |---------------------------------------------------|------------------------------------------------------------|-------------------------------------------------------------------|
| `driver.name` | alternative driver name | `nfs.csi.k8s.io` | | `driver.name` | alternative driver name | `nfs.csi.k8s.io` |
| `driver.mountPermissions` | mounted folder permissions name | `0777`
| `feature.enableFSGroupPolicy` | enable `fsGroupPolicy` on a k8s 1.20+ cluster | `false` | | `feature.enableFSGroupPolicy` | enable `fsGroupPolicy` on a k8s 1.20+ cluster | `false` |
| `image.nfs.repository` | csi-driver-nfs docker image | `gcr.io/k8s-staging-sig-storage/nfsplugin` | | `image.nfs.repository` | csi-driver-nfs docker image | `gcr.io/k8s-staging-sig-storage/nfsplugin` |
| `image.nfs.tag` | csi-driver-nfs docker image tag | `amd64-linux-canary` | | `image.nfs.tag` | csi-driver-nfs docker image tag | `amd64-linux-canary` |
@ -70,6 +71,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv
| `controller.resources.nfs.limits.memory` | csi-driver-nfs memory limits | 200Mi | | `controller.resources.nfs.limits.memory` | csi-driver-nfs memory limits | 200Mi |
| `controller.resources.nfs.requests.cpu` | csi-driver-nfs cpu requests limits | 10m | | `controller.resources.nfs.requests.cpu` | csi-driver-nfs cpu requests limits | 10m |
| `controller.resources.nfs.requests.memory` | csi-driver-nfs memory requests limits | 20Mi | | `controller.resources.nfs.requests.memory` | csi-driver-nfs memory requests limits | 20Mi |
| `node.name` | driver node daemonset name | `csi-nfs-node`
| `node.maxUnavailable` | `maxUnavailable` value of driver node daemonset | `1` | `node.maxUnavailable` | `maxUnavailable` value of driver node daemonset | `1`
| `node.logLevel` | node driver log level |`5` | | `node.logLevel` | node driver log level |`5` |
| `node.livenessProbe.healthPort ` | the health check port for liveness probe |`29653` | | `node.livenessProbe.healthPort ` | the health check port for liveness probe |`29653` |

BIN
charts/latest/csi-driver-nfs-v3.1.0.tgz
View File

Binary file not shown.

1
charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
View File

@ -72,6 +72,7 @@ spec:
- "--nodeid=$(NODE_ID)" - "--nodeid=$(NODE_ID)"
- "--endpoint=$(CSI_ENDPOINT)" - "--endpoint=$(CSI_ENDPOINT)"
- "--drivername={{ .Values.driver.name }}" - "--drivername={{ .Values.driver.name }}"
- "--mount-permissions={{ .Values.driver.mountPermissions }}"
env: env:
- name: NODE_ID - name: NODE_ID
valueFrom: valueFrom:

1
charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
View File

@ -84,6 +84,7 @@ spec:
- "--nodeid=$(NODE_ID)" - "--nodeid=$(NODE_ID)"
- "--endpoint=$(CSI_ENDPOINT)" - "--endpoint=$(CSI_ENDPOINT)"
- "--drivername={{ .Values.driver.name }}" - "--drivername={{ .Values.driver.name }}"
- "--mount-permissions={{ .Values.driver.mountPermissions }}"
env: env:
- name: NODE_ID - name: NODE_ID
valueFrom: valueFrom:

13
charts/latest/csi-driver-nfs/values.yaml
View File

@ -24,6 +24,13 @@ rbac:
create: true create: true
name: nfs name: nfs
driver:
name: nfs.csi.k8s.io
mountPermissions: "0777"
feature:
enableFSGroupPolicy: false
controller: controller:
name: csi-nfs-controller name: csi-nfs-controller
replicas: 2 replicas: 2
@ -92,12 +99,6 @@ node:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
feature:
enableFSGroupPolicy: false
driver:
name: nfs.csi.k8s.io
## Reference to one or more secrets to be used when pulling images ## Reference to one or more secrets to be used when pulling images
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## ##

2
cmd/nfsplugin/main.go
View File

@ -30,7 +30,7 @@ import (
var ( var (
endpoint = flag.String("endpoint", "unix://tmp/csi.sock", "CSI endpoint") endpoint = flag.String("endpoint", "unix://tmp/csi.sock", "CSI endpoint")
nodeID = flag.String("nodeid", "", "node id") nodeID = flag.String("nodeid", "", "node id")
perm = flag.String("mount-permissions", "", "mounted folder permissions") perm = flag.String("mount-permissions", "0777", "mounted folder permissions")
driverName = flag.String("drivername", nfs.DefaultDriverName, "name of the driver") driverName = flag.String("drivername", nfs.DefaultDriverName, "name of the driver")
) )

2
hack/verify-helm-chart-files.sh
View File

@ -50,6 +50,6 @@ echo "chart tgz files verified."
echo "verify helm chart index ..." echo "verify helm chart index ..."
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
helm repo add csi-driver-smb https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts helm repo add csi-driver-nfs https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
helm search repo -l csi-driver-nfs helm search repo -l csi-driver-nfs
echo "helm chart index verified." echo "helm chart index verified."

9
pkg/nfs/controllerserver.go
View File

@ -98,14 +98,17 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol
} }
}() }()
fileMode := os.FileMode(0777)
if cs.Driver.perm != nil {
fileMode = os.FileMode(*cs.Driver.perm)
}
// Create subdirectory under base-dir // Create subdirectory under base-dir
// TODO: revisit permissions
internalVolumePath := cs.getInternalVolumePath(nfsVol) internalVolumePath := cs.getInternalVolumePath(nfsVol)
if err = os.Mkdir(internalVolumePath, 0777); err != nil && !os.IsExist(err) { if err = os.Mkdir(internalVolumePath, fileMode); err != nil && !os.IsExist(err) {
return nil, status.Errorf(codes.Internal, "failed to make subdirectory: %v", err.Error()) return nil, status.Errorf(codes.Internal, "failed to make subdirectory: %v", err.Error())
} }
// Reset directory permissions because of umask problems // Reset directory permissions because of umask problems
if err = os.Chmod(internalVolumePath, 0777); err != nil { if err = os.Chmod(internalVolumePath, fileMode); err != nil {
klog.Warningf("failed to chmod subdirectory: %v", err.Error()) klog.Warningf("failed to chmod subdirectory: %v", err.Error())
} }
return &csi.CreateVolumeResponse{Volume: cs.nfsVolToCSI(nfsVol)}, nil return &csi.CreateVolumeResponse{Volume: cs.nfsVolToCSI(nfsVol)}, nil

1
pkg/nfs/nodeserver.go
View File

@ -87,6 +87,7 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
} }
if ns.Driver.perm != nil { if ns.Driver.perm != nil {
klog.V(2).Infof("volumeID(%v): mount targetPath(%s) with permissions(%o)", volumeID, targetPath, *ns.Driver.perm)
if err := os.Chmod(targetPath, os.FileMode(*ns.Driver.perm)); err != nil { if err := os.Chmod(targetPath, os.FileMode(*ns.Driver.perm)); err != nil {
return nil, status.Error(codes.Internal, err.Error()) return nil, status.Error(codes.Internal, err.Error())
} }

4
test/external-e2e/run.sh
View File

@ -26,11 +26,11 @@ install_ginkgo () {
setup_e2e_binaries() { setup_e2e_binaries() {
# download k8s external e2e binary # download k8s external e2e binary
curl -sL https://storage.googleapis.com/kubernetes-release/release/v1.21.0/kubernetes-test-linux-amd64.tar.gz --output e2e-tests.tar.gz curl -sL https://storage.googleapis.com/kubernetes-release/release/v1.23.0/kubernetes-test-linux-amd64.tar.gz --output e2e-tests.tar.gz
tar -xvf e2e-tests.tar.gz && rm e2e-tests.tar.gz tar -xvf e2e-tests.tar.gz && rm e2e-tests.tar.gz
# enable fsGroupPolicy (only available from k8s 1.20) # enable fsGroupPolicy (only available from k8s 1.20)
export EXTRA_HELM_OPTIONS="--set feature.enableFSGroupPolicy=true --set driver.name=$DRIVER.csi.k8s.io --set controller.name=csi-$DRIVER-controller --set node.name=csi-$DRIVER-node --set image.csiProvisioner.tag=v3.0.0" export EXTRA_HELM_OPTIONS="--set feature.enableFSGroupPolicy=true --set driver.name=$DRIVER.csi.k8s.io --set controller.name=csi-$DRIVER-controller --set node.name=csi-$DRIVER-node --set image.csiProvisioner.tag=v3.0.0 --set driver.mountPermissions=0777"
# test on alternative driver name # test on alternative driver name
sed -i "s/nfs.csi.k8s.io/$DRIVER.csi.k8s.io/g" deploy/example/storageclass-nfs.yaml sed -i "s/nfs.csi.k8s.io/$DRIVER.csi.k8s.io/g" deploy/example/storageclass-nfs.yaml