kubernetes-csi/csi-driver-nfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix shield guard on CSI node

Browse Source
This commit is contained in:
umagnus 2024-06-20 09:04:09 +00:00
parent 198bf7abbc
commit 75586fb172
9 changed files with 57 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
charts/latest/csi-driver-nfs-v0.0.0.tgz
View File

Binary file not shown.

9
charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
View File

@ -61,6 +61,9 @@ spec:
resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }} resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
securityContext: securityContext:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: node-driver-registrar - name: node-driver-registrar
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@ -93,11 +96,17 @@ spec:
- name: registration-dir - name: registration-dir
mountPath: /registration mountPath: /registration
resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }} resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: nfs - name: nfs
securityContext: securityContext:
privileged: true privileged: true
capabilities: capabilities:
add: ["SYS_ADMIN"] add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
{{- if hasPrefix "/" .Values.image.nfs.repository }} {{- if hasPrefix "/" .Values.image.nfs.repository }}

BIN
charts/v4.6.0/csi-driver-nfs-v4.6.0.tgz
View File

Binary file not shown.

9
charts/v4.6.0/csi-driver-nfs/templates/csi-nfs-node.yaml
View File

@ -61,6 +61,9 @@ spec:
resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }} resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
securityContext: securityContext:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: node-driver-registrar - name: node-driver-registrar
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@ -93,11 +96,17 @@ spec:
- name: registration-dir - name: registration-dir
mountPath: /registration mountPath: /registration
resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }} resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: nfs - name: nfs
securityContext: securityContext:
privileged: true privileged: true
capabilities: capabilities:
add: ["SYS_ADMIN"] add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
{{- if hasPrefix "/" .Values.image.nfs.repository }} {{- if hasPrefix "/" .Values.image.nfs.repository }}

BIN
charts/v4.7.0/csi-driver-nfs-v4.7.0.tgz
View File

Binary file not shown.

9
charts/v4.7.0/csi-driver-nfs/templates/csi-nfs-node.yaml
View File

@ -61,6 +61,9 @@ spec:
resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }} resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
securityContext: securityContext:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: node-driver-registrar - name: node-driver-registrar
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@ -93,11 +96,17 @@ spec:
- name: registration-dir - name: registration-dir
mountPath: /registration mountPath: /registration
resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }} resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }}
securityContext:
capabilities:
drop:
- ALL
- name: nfs - name: nfs
securityContext: securityContext:
privileged: true privileged: true
capabilities: capabilities:
add: ["SYS_ADMIN"] add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
{{- if hasPrefix "/" .Values.image.nfs.repository }} {{- if hasPrefix "/" .Values.image.nfs.repository }}

10
deploy/csi-nfs-node.yaml
View File

@ -45,6 +45,10 @@ spec:
requests: requests:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar - name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
args: args:
@ -77,11 +81,17 @@ spec:
requests: requests:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: nfs - name: nfs
securityContext: securityContext:
privileged: true privileged: true
capabilities: capabilities:
add: ["SYS_ADMIN"] add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
image: gcr.io/k8s-staging-sig-storage/nfsplugin:canary image: gcr.io/k8s-staging-sig-storage/nfsplugin:canary
args: args:

10
deploy/v4.6.0/csi-nfs-node.yaml
View File

@ -45,6 +45,10 @@ spec:
requests: requests:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar - name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
args: args:
@ -77,11 +81,17 @@ spec:
requests: requests:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: nfs - name: nfs
securityContext: securityContext:
privileged: true privileged: true
capabilities: capabilities:
add: ["SYS_ADMIN"] add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
image: registry.k8s.io/sig-storage/nfsplugin:v4.6.0 image: registry.k8s.io/sig-storage/nfsplugin:v4.6.0
args: args:

10
deploy/v4.7.0/csi-nfs-node.yaml
View File

@ -45,6 +45,10 @@ spec:
requests: requests:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: node-driver-registrar - name: node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0
args: args:
@ -77,11 +81,17 @@ spec:
requests: requests:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: nfs - name: nfs
securityContext: securityContext:
privileged: true privileged: true
capabilities: capabilities:
add: ["SYS_ADMIN"] add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
image: registry.k8s.io/sig-storage/nfsplugin:v4.7.0 image: registry.k8s.io/sig-storage/nfsplugin:v4.7.0
args: args: