Merge pull request #256 from andyzhangx/libgmp10
fix: CVE-2021-43618 in Ubuntu image
This commit is contained in:
Andy Zhang
GitHub
commit
532b0a9435
26
.github/workflows/pluto.yaml
vendored
Normal file
26
.github/workflows/pluto.yaml
vendored
Normal file
@ -0,0 +1,26 @@
|
||||
name: k8s api version check
|
||||
on:
|
||||
pull_request: {}
|
||||
push: {}
|
||||
|
||||
jobs:
|
||||
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# https://pluto.docs.fairwinds.com/advanced/#display-options
|
||||
- name: Download pluto
|
||||
uses: FairwindsOps/pluto/github-action@master
|
||||
|
||||
- name: Check deploy folder
|
||||
run: |
|
||||
pluto detect-files -d deploy
|
||||
|
||||
- name: Check example folder
|
||||
run: |
|
||||
pluto detect-files -d deploy/example
|
||||
@ -23,6 +23,6 @@ COPY bin/${ARCH}/nfsplugin /nfsplugin
|
||||
RUN apt update && apt-mark unhold libcap2
|
||||
RUN clean-install ca-certificates mount nfs-common netbase
|
||||
# install updated packages to fix CVE issues
|
||||
RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0
|
||||
RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libgmp10
|
||||
|
||||
ENTRYPOINT ["/nfsplugin"]
|
||||
|
||||
@ -38,6 +38,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv
|
||||
| Parameter | Description | Default |
|
||||
|---------------------------------------------------|------------------------------------------------------------|-------------------------------------------------------------------|
|
||||
| `driver.name` | alternative driver name | `nfs.csi.k8s.io` |
|
||||
| `driver.mountPermissions` | mounted folder permissions name | `0777`
|
||||
| `feature.enableFSGroupPolicy` | enable `fsGroupPolicy` on a k8s 1.20+ cluster | `false` |
|
||||
| `image.nfs.repository` | csi-driver-nfs docker image | `gcr.io/k8s-staging-sig-storage/nfsplugin` |
|
||||
| `image.nfs.tag` | csi-driver-nfs docker image tag | `amd64-linux-canary` |
|
||||
@ -70,6 +71,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv
|
||||
| `controller.resources.nfs.limits.memory` | csi-driver-nfs memory limits | 200Mi |
|
||||
| `controller.resources.nfs.requests.cpu` | csi-driver-nfs cpu requests limits | 10m |
|
||||
| `controller.resources.nfs.requests.memory` | csi-driver-nfs memory requests limits | 20Mi |
|
||||
| `node.name` | driver node daemonset name | `csi-nfs-node`
|
||||
| `node.maxUnavailable` | `maxUnavailable` value of driver node daemonset | `1`
|
||||
| `node.logLevel` | node driver log level |`5` |
|
||||
| `node.livenessProbe.healthPort ` | the health check port for liveness probe |`29653` |
|
||||
|
||||
Binary file not shown.
@ -72,6 +72,7 @@ spec:
|
||||
- "--nodeid=$(NODE_ID)"
|
||||
- "--endpoint=$(CSI_ENDPOINT)"
|
||||
- "--drivername={{ .Values.driver.name }}"
|
||||
- "--mount-permissions={{ .Values.driver.mountPermissions }}"
|
||||
env:
|
||||
- name: NODE_ID
|
||||
valueFrom:
|
||||
|
||||
@ -84,6 +84,7 @@ spec:
|
||||
- "--nodeid=$(NODE_ID)"
|
||||
- "--endpoint=$(CSI_ENDPOINT)"
|
||||
- "--drivername={{ .Values.driver.name }}"
|
||||
- "--mount-permissions={{ .Values.driver.mountPermissions }}"
|
||||
env:
|
||||
- name: NODE_ID
|
||||
valueFrom:
|
||||
|
||||
@ -24,6 +24,13 @@ rbac:
|
||||
create: true
|
||||
name: nfs
|
||||
|
||||
driver:
|
||||
name: nfs.csi.k8s.io
|
||||
mountPermissions: "0777"
|
||||
|
||||
feature:
|
||||
enableFSGroupPolicy: false
|
||||
|
||||
controller:
|
||||
name: csi-nfs-controller
|
||||
replicas: 2
|
||||
@ -92,12 +99,6 @@ node:
|
||||
cpu: 10m
|
||||
memory: 20Mi
|
||||
|
||||
feature:
|
||||
enableFSGroupPolicy: false
|
||||
|
||||
driver:
|
||||
name: nfs.csi.k8s.io
|
||||
|
||||
## Reference to one or more secrets to be used when pulling images
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
||||
##
|
||||
|
||||
@ -30,7 +30,7 @@ import (
|
||||
var (
|
||||
endpoint = flag.String("endpoint", "unix://tmp/csi.sock", "CSI endpoint")
|
||||
nodeID = flag.String("nodeid", "", "node id")
|
||||
perm = flag.String("mount-permissions", "", "mounted folder permissions")
|
||||
perm = flag.String("mount-permissions", "0777", "mounted folder permissions")
|
||||
driverName = flag.String("drivername", nfs.DefaultDriverName, "name of the driver")
|
||||
)
|
||||
|
||||
|
||||
@ -50,6 +50,6 @@ echo "chart tgz files verified."
|
||||
|
||||
echo "verify helm chart index ..."
|
||||
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
|
||||
helm repo add csi-driver-smb https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
|
||||
helm repo add csi-driver-nfs https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
|
||||
helm search repo -l csi-driver-nfs
|
||||
echo "helm chart index verified."
|
||||
|
||||
@ -98,14 +98,17 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol
|
||||
}
|
||||
}()
|
||||
|
||||
fileMode := os.FileMode(0777)
|
||||
if cs.Driver.perm != nil {
|
||||
fileMode = os.FileMode(*cs.Driver.perm)
|
||||
}
|
||||
// Create subdirectory under base-dir
|
||||
// TODO: revisit permissions
|
||||
internalVolumePath := cs.getInternalVolumePath(nfsVol)
|
||||
if err = os.Mkdir(internalVolumePath, 0777); err != nil && !os.IsExist(err) {
|
||||
if err = os.Mkdir(internalVolumePath, fileMode); err != nil && !os.IsExist(err) {
|
||||
return nil, status.Errorf(codes.Internal, "failed to make subdirectory: %v", err.Error())
|
||||
}
|
||||
// Reset directory permissions because of umask problems
|
||||
if err = os.Chmod(internalVolumePath, 0777); err != nil {
|
||||
if err = os.Chmod(internalVolumePath, fileMode); err != nil {
|
||||
klog.Warningf("failed to chmod subdirectory: %v", err.Error())
|
||||
}
|
||||
return &csi.CreateVolumeResponse{Volume: cs.nfsVolToCSI(nfsVol)}, nil
|
||||
|
||||
@ -87,6 +87,7 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
|
||||
}
|
||||
|
||||
if ns.Driver.perm != nil {
|
||||
klog.V(2).Infof("volumeID(%v): mount targetPath(%s) with permissions(%o)", volumeID, targetPath, *ns.Driver.perm)
|
||||
if err := os.Chmod(targetPath, os.FileMode(*ns.Driver.perm)); err != nil {
|
||||
return nil, status.Error(codes.Internal, err.Error())
|
||||
}
|
||||
|
||||
@ -26,11 +26,11 @@ install_ginkgo () {
|
||||
|
||||
setup_e2e_binaries() {
|
||||
# download k8s external e2e binary
|
||||
curl -sL https://storage.googleapis.com/kubernetes-release/release/v1.21.0/kubernetes-test-linux-amd64.tar.gz --output e2e-tests.tar.gz
|
||||
curl -sL https://storage.googleapis.com/kubernetes-release/release/v1.23.0/kubernetes-test-linux-amd64.tar.gz --output e2e-tests.tar.gz
|
||||
tar -xvf e2e-tests.tar.gz && rm e2e-tests.tar.gz
|
||||
|
||||
# enable fsGroupPolicy (only available from k8s 1.20)
|
||||
export EXTRA_HELM_OPTIONS="--set feature.enableFSGroupPolicy=true --set driver.name=$DRIVER.csi.k8s.io --set controller.name=csi-$DRIVER-controller --set node.name=csi-$DRIVER-node --set image.csiProvisioner.tag=v3.0.0"
|
||||
export EXTRA_HELM_OPTIONS="--set feature.enableFSGroupPolicy=true --set driver.name=$DRIVER.csi.k8s.io --set controller.name=csi-$DRIVER-controller --set node.name=csi-$DRIVER-node --set image.csiProvisioner.tag=v3.0.0 --set driver.mountPermissions=0777"
|
||||
|
||||
# test on alternative driver name
|
||||
sed -i "s/nfs.csi.k8s.io/$DRIVER.csi.k8s.io/g" deploy/example/storageclass-nfs.yaml
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user