diff --git a/charts/latest/csi-driver-nfs-v0.0.0.tgz b/charts/latest/csi-driver-nfs-v0.0.0.tgz index d2e935d0..340c251e 100644 Binary files a/charts/latest/csi-driver-nfs-v0.0.0.tgz and b/charts/latest/csi-driver-nfs-v0.0.0.tgz differ diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml index 7fad4402..b3c880f2 100644 --- a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml +++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml @@ -71,6 +71,9 @@ spec: resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} securityContext: readOnlyRootFilesystem: true + capabilities: + drop: + - ALL - name: csi-snapshotter {{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}" @@ -91,6 +94,10 @@ spec: volumeMounts: - name: socket-dir mountPath: /csi + securityContext: + capabilities: + drop: + - ALL - name: liveness-probe {{- if hasPrefix "/" .Values.image.livenessProbe.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" @@ -109,6 +116,9 @@ spec: resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} securityContext: readOnlyRootFilesystem: true + capabilities: + drop: + - ALL - name: nfs {{- if hasPrefix "/" .Values.image.nfs.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}" @@ -119,6 +129,8 @@ spec: privileged: true capabilities: add: ["SYS_ADMIN"] + drop: + - ALL allowPrivilegeEscalation: true imagePullPolicy: {{ .Values.image.nfs.pullPolicy }} args: diff --git a/charts/latest/csi-driver-nfs/templates/csi-snapshot-controller.yaml b/charts/latest/csi-driver-nfs/templates/csi-snapshot-controller.yaml index 60f0afc0..448c9b4c 100644 --- a/charts/latest/csi-driver-nfs/templates/csi-snapshot-controller.yaml +++ b/charts/latest/csi-driver-nfs/templates/csi-snapshot-controller.yaml @@ -67,4 +67,8 @@ spec: - "--leader-election-namespace={{ .Release.Namespace }}" resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }} imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL {{- end -}} diff --git a/charts/v4.6.0/csi-driver-nfs-v4.6.0.tgz b/charts/v4.6.0/csi-driver-nfs-v4.6.0.tgz index 05d52317..53cc4487 100644 Binary files a/charts/v4.6.0/csi-driver-nfs-v4.6.0.tgz and b/charts/v4.6.0/csi-driver-nfs-v4.6.0.tgz differ diff --git a/charts/v4.6.0/csi-driver-nfs/templates/csi-nfs-controller.yaml b/charts/v4.6.0/csi-driver-nfs/templates/csi-nfs-controller.yaml index 7fad4402..b3c880f2 100644 --- a/charts/v4.6.0/csi-driver-nfs/templates/csi-nfs-controller.yaml +++ b/charts/v4.6.0/csi-driver-nfs/templates/csi-nfs-controller.yaml @@ -71,6 +71,9 @@ spec: resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} securityContext: readOnlyRootFilesystem: true + capabilities: + drop: + - ALL - name: csi-snapshotter {{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}" @@ -91,6 +94,10 @@ spec: volumeMounts: - name: socket-dir mountPath: /csi + securityContext: + capabilities: + drop: + - ALL - name: liveness-probe {{- if hasPrefix "/" .Values.image.livenessProbe.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" @@ -109,6 +116,9 @@ spec: resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} securityContext: readOnlyRootFilesystem: true + capabilities: + drop: + - ALL - name: nfs {{- if hasPrefix "/" .Values.image.nfs.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}" @@ -119,6 +129,8 @@ spec: privileged: true capabilities: add: ["SYS_ADMIN"] + drop: + - ALL allowPrivilegeEscalation: true imagePullPolicy: {{ .Values.image.nfs.pullPolicy }} args: diff --git a/charts/v4.6.0/csi-driver-nfs/templates/csi-snapshot-controller.yaml b/charts/v4.6.0/csi-driver-nfs/templates/csi-snapshot-controller.yaml index 60f0afc0..448c9b4c 100644 --- a/charts/v4.6.0/csi-driver-nfs/templates/csi-snapshot-controller.yaml +++ b/charts/v4.6.0/csi-driver-nfs/templates/csi-snapshot-controller.yaml @@ -67,4 +67,8 @@ spec: - "--leader-election-namespace={{ .Release.Namespace }}" resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }} imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL {{- end -}} diff --git a/charts/v4.7.0/csi-driver-nfs-v4.7.0.tgz b/charts/v4.7.0/csi-driver-nfs-v4.7.0.tgz index a3456aa5..48918510 100644 Binary files a/charts/v4.7.0/csi-driver-nfs-v4.7.0.tgz and b/charts/v4.7.0/csi-driver-nfs-v4.7.0.tgz differ diff --git a/charts/v4.7.0/csi-driver-nfs/templates/csi-nfs-controller.yaml b/charts/v4.7.0/csi-driver-nfs/templates/csi-nfs-controller.yaml index 7fad4402..b3c880f2 100644 --- a/charts/v4.7.0/csi-driver-nfs/templates/csi-nfs-controller.yaml +++ b/charts/v4.7.0/csi-driver-nfs/templates/csi-nfs-controller.yaml @@ -71,6 +71,9 @@ spec: resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} securityContext: readOnlyRootFilesystem: true + capabilities: + drop: + - ALL - name: csi-snapshotter {{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}" @@ -91,6 +94,10 @@ spec: volumeMounts: - name: socket-dir mountPath: /csi + securityContext: + capabilities: + drop: + - ALL - name: liveness-probe {{- if hasPrefix "/" .Values.image.livenessProbe.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" @@ -109,6 +116,9 @@ spec: resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} securityContext: readOnlyRootFilesystem: true + capabilities: + drop: + - ALL - name: nfs {{- if hasPrefix "/" .Values.image.nfs.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}" @@ -119,6 +129,8 @@ spec: privileged: true capabilities: add: ["SYS_ADMIN"] + drop: + - ALL allowPrivilegeEscalation: true imagePullPolicy: {{ .Values.image.nfs.pullPolicy }} args: diff --git a/charts/v4.7.0/csi-driver-nfs/templates/csi-snapshot-controller.yaml b/charts/v4.7.0/csi-driver-nfs/templates/csi-snapshot-controller.yaml index 60f0afc0..448c9b4c 100644 --- a/charts/v4.7.0/csi-driver-nfs/templates/csi-snapshot-controller.yaml +++ b/charts/v4.7.0/csi-driver-nfs/templates/csi-snapshot-controller.yaml @@ -67,4 +67,8 @@ spec: - "--leader-election-namespace={{ .Release.Namespace }}" resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }} imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }} + securityContext: + capabilities: + drop: + - ALL {{- end -}} diff --git a/deploy/csi-nfs-controller.yaml b/deploy/csi-nfs-controller.yaml index d9d22174..ff7a7d4c 100644 --- a/deploy/csi-nfs-controller.yaml +++ b/deploy/csi-nfs-controller.yaml @@ -55,6 +55,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: csi-snapshotter image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3 args: @@ -76,6 +80,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: liveness-probe image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0 args: @@ -92,12 +100,18 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: nfs image: gcr.io/k8s-staging-sig-storage/nfsplugin:canary securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] + drop: + - ALL allowPrivilegeEscalation: true imagePullPolicy: IfNotPresent args: diff --git a/deploy/v4.6.0/csi-nfs-controller.yaml b/deploy/v4.6.0/csi-nfs-controller.yaml index 16ba3600..17a9011a 100644 --- a/deploy/v4.6.0/csi-nfs-controller.yaml +++ b/deploy/v4.6.0/csi-nfs-controller.yaml @@ -55,6 +55,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: csi-snapshotter image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3 args: @@ -76,6 +80,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: liveness-probe image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0 args: @@ -92,12 +100,18 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: nfs image: registry.k8s.io/sig-storage/nfsplugin:v4.6.0 securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] + drop: + - ALL allowPrivilegeEscalation: true imagePullPolicy: IfNotPresent args: diff --git a/deploy/v4.6.0/csi-snapshot-controller.yaml b/deploy/v4.6.0/csi-snapshot-controller.yaml index 557d03e0..246ad37c 100644 --- a/deploy/v4.6.0/csi-snapshot-controller.yaml +++ b/deploy/v4.6.0/csi-snapshot-controller.yaml @@ -63,3 +63,7 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL diff --git a/deploy/v4.7.0/csi-nfs-controller.yaml b/deploy/v4.7.0/csi-nfs-controller.yaml index ef72f046..3b3deed5 100644 --- a/deploy/v4.7.0/csi-nfs-controller.yaml +++ b/deploy/v4.7.0/csi-nfs-controller.yaml @@ -55,6 +55,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: csi-snapshotter image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3 args: @@ -76,6 +80,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: liveness-probe image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0 args: @@ -92,12 +100,18 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: nfs image: registry.k8s.io/sig-storage/nfsplugin:v4.7.0 securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] + drop: + - ALL allowPrivilegeEscalation: true imagePullPolicy: IfNotPresent args: diff --git a/deploy/v4.7.0/csi-snapshot-controller.yaml b/deploy/v4.7.0/csi-snapshot-controller.yaml index 557d03e0..246ad37c 100644 --- a/deploy/v4.7.0/csi-snapshot-controller.yaml +++ b/deploy/v4.7.0/csi-snapshot-controller.yaml @@ -63,3 +63,7 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL