diff --git a/charts/latest/csi-driver-nfs-v0.0.0.tgz b/charts/latest/csi-driver-nfs-v0.0.0.tgz index 340c251e..695048bc 100644 Binary files a/charts/latest/csi-driver-nfs-v0.0.0.tgz and b/charts/latest/csi-driver-nfs-v0.0.0.tgz differ diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml index cb42d57e..89778b4b 100644 --- a/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml +++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml @@ -61,6 +61,9 @@ spec: resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }} securityContext: readOnlyRootFilesystem: true + capabilities: + drop: + - ALL - name: node-driver-registrar {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" @@ -93,11 +96,17 @@ spec: - name: registration-dir mountPath: /registration resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: nfs securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] + drop: + - ALL allowPrivilegeEscalation: true readOnlyRootFilesystem: true {{- if hasPrefix "/" .Values.image.nfs.repository }} diff --git a/charts/v4.6.0/csi-driver-nfs-v4.6.0.tgz b/charts/v4.6.0/csi-driver-nfs-v4.6.0.tgz index 53cc4487..0d3e6924 100644 Binary files a/charts/v4.6.0/csi-driver-nfs-v4.6.0.tgz and b/charts/v4.6.0/csi-driver-nfs-v4.6.0.tgz differ diff --git a/charts/v4.6.0/csi-driver-nfs/templates/csi-nfs-node.yaml b/charts/v4.6.0/csi-driver-nfs/templates/csi-nfs-node.yaml index cb42d57e..89778b4b 100644 --- a/charts/v4.6.0/csi-driver-nfs/templates/csi-nfs-node.yaml +++ b/charts/v4.6.0/csi-driver-nfs/templates/csi-nfs-node.yaml @@ -61,6 +61,9 @@ spec: resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }} securityContext: readOnlyRootFilesystem: true + capabilities: + drop: + - ALL - name: node-driver-registrar {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" @@ -93,11 +96,17 @@ spec: - name: registration-dir mountPath: /registration resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: nfs securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] + drop: + - ALL allowPrivilegeEscalation: true readOnlyRootFilesystem: true {{- if hasPrefix "/" .Values.image.nfs.repository }} diff --git a/charts/v4.7.0/csi-driver-nfs-v4.7.0.tgz b/charts/v4.7.0/csi-driver-nfs-v4.7.0.tgz index 48918510..9aec45eb 100644 Binary files a/charts/v4.7.0/csi-driver-nfs-v4.7.0.tgz and b/charts/v4.7.0/csi-driver-nfs-v4.7.0.tgz differ diff --git a/charts/v4.7.0/csi-driver-nfs/templates/csi-nfs-node.yaml b/charts/v4.7.0/csi-driver-nfs/templates/csi-nfs-node.yaml index cb42d57e..89778b4b 100644 --- a/charts/v4.7.0/csi-driver-nfs/templates/csi-nfs-node.yaml +++ b/charts/v4.7.0/csi-driver-nfs/templates/csi-nfs-node.yaml @@ -61,6 +61,9 @@ spec: resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }} securityContext: readOnlyRootFilesystem: true + capabilities: + drop: + - ALL - name: node-driver-registrar {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" @@ -93,11 +96,17 @@ spec: - name: registration-dir mountPath: /registration resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: nfs securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] + drop: + - ALL allowPrivilegeEscalation: true readOnlyRootFilesystem: true {{- if hasPrefix "/" .Values.image.nfs.repository }} diff --git a/deploy/csi-nfs-node.yaml b/deploy/csi-nfs-node.yaml index bcdc2999..acf66dd2 100644 --- a/deploy/csi-nfs-node.yaml +++ b/deploy/csi-nfs-node.yaml @@ -45,6 +45,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 args: @@ -77,11 +81,17 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: nfs securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] + drop: + - ALL allowPrivilegeEscalation: true image: gcr.io/k8s-staging-sig-storage/nfsplugin:canary args: diff --git a/deploy/v4.6.0/csi-nfs-node.yaml b/deploy/v4.6.0/csi-nfs-node.yaml index 63b00809..519ac3d1 100644 --- a/deploy/v4.6.0/csi-nfs-node.yaml +++ b/deploy/v4.6.0/csi-nfs-node.yaml @@ -45,6 +45,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 args: @@ -77,11 +81,17 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: nfs securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] + drop: + - ALL allowPrivilegeEscalation: true image: registry.k8s.io/sig-storage/nfsplugin:v4.6.0 args: diff --git a/deploy/v4.7.0/csi-nfs-node.yaml b/deploy/v4.7.0/csi-nfs-node.yaml index 22aadb38..c4b8926f 100644 --- a/deploy/v4.7.0/csi-nfs-node.yaml +++ b/deploy/v4.7.0/csi-nfs-node.yaml @@ -45,6 +45,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 args: @@ -77,11 +81,17 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: nfs securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] + drop: + - ALL allowPrivilegeEscalation: true image: registry.k8s.io/sig-storage/nfsplugin:v4.7.0 args: