kubernetes-csi/csi-driver-nfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix shield guard issues for KSM:

Browse Source
This commit is contained in:
umagnus 2024-06-13 07:07:06 +00:00
parent ad6d73c5a4
commit f3a098a1ba
14 changed files with 98 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
charts/latest/csi-driver-nfs-v0.0.0.tgz
View File

Binary file not shown.

12
charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
View File

@ -71,6 +71,9 @@ spec:
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: csi-snapshotter
{{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}"
@ -91,6 +94,10 @@ spec:
volumeMounts:
- name: socket-dir
mountPath: /csi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
@ -109,6 +116,9 @@ spec:
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: nfs
{{- if hasPrefix "/" .Values.image.nfs.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
@ -119,6 +129,8 @@ spec:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
args:

4
charts/latest/csi-driver-nfs/templates/csi-snapshot-controller.yaml
View File

@ -67,4 +67,8 @@ spec:
- "--leader-election-namespace={{ .Release.Namespace }}"
resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }}
imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }}
securityContext:
capabilities:
drop:
- ALL
{{- end -}}

BIN
charts/v4.6.0/csi-driver-nfs-v4.6.0.tgz
View File

Binary file not shown.

12
charts/v4.6.0/csi-driver-nfs/templates/csi-nfs-controller.yaml
View File

@ -71,6 +71,9 @@ spec:
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: csi-snapshotter
{{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}"
@ -91,6 +94,10 @@ spec:
volumeMounts:
- name: socket-dir
mountPath: /csi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
@ -109,6 +116,9 @@ spec:
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: nfs
{{- if hasPrefix "/" .Values.image.nfs.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
@ -119,6 +129,8 @@ spec:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
args:

4
charts/v4.6.0/csi-driver-nfs/templates/csi-snapshot-controller.yaml
View File

@ -67,4 +67,8 @@ spec:
- "--leader-election-namespace={{ .Release.Namespace }}"
resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }}
imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }}
securityContext:
capabilities:
drop:
- ALL
{{- end -}}

BIN
charts/v4.7.0/csi-driver-nfs-v4.7.0.tgz
View File

Binary file not shown.

12
charts/v4.7.0/csi-driver-nfs/templates/csi-nfs-controller.yaml
View File

@ -71,6 +71,9 @@ spec:
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: csi-snapshotter
{{- if hasPrefix "/" .Values.image.csiSnapshotter.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiSnapshotter.repository }}:{{ .Values.image.csiSnapshotter.tag }}"
@ -91,6 +94,10 @@ spec:
volumeMounts:
- name: socket-dir
mountPath: /csi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
@ -109,6 +116,9 @@ spec:
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: nfs
{{- if hasPrefix "/" .Values.image.nfs.repository }}
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
@ -119,6 +129,8 @@ spec:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true
imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
args:

4
charts/v4.7.0/csi-driver-nfs/templates/csi-snapshot-controller.yaml
View File

@ -67,4 +67,8 @@ spec:
- "--leader-election-namespace={{ .Release.Namespace }}"
resources: {{- toYaml .Values.externalSnapshotter.resources | nindent 12 }}
imagePullPolicy: {{ .Values.image.externalSnapshotter.pullPolicy }}
securityContext:
capabilities:
drop:
- ALL
{{- end -}}

14
deploy/csi-nfs-controller.yaml
View File

@ -55,6 +55,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: csi-snapshotter
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3
args:
@ -76,6 +80,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
args:
@ -92,12 +100,18 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: nfs
image: gcr.io/k8s-staging-sig-storage/nfsplugin:canary
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true
imagePullPolicy: IfNotPresent
args:

14
deploy/v4.6.0/csi-nfs-controller.yaml
View File

@ -55,6 +55,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: csi-snapshotter
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3
args:
@ -76,6 +80,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
args:
@ -92,12 +100,18 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: nfs
image: registry.k8s.io/sig-storage/nfsplugin:v4.6.0
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true
imagePullPolicy: IfNotPresent
args:

4
deploy/v4.6.0/csi-snapshot-controller.yaml
View File

@ -63,3 +63,7 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL

14
deploy/v4.7.0/csi-nfs-controller.yaml
View File

@ -55,6 +55,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: csi-snapshotter
image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3
args:
@ -76,6 +80,10 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
args:
@ -92,12 +100,18 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL
- name: nfs
image: registry.k8s.io/sig-storage/nfsplugin:v4.7.0
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
drop:
- ALL
allowPrivilegeEscalation: true
imagePullPolicy: IfNotPresent
args:

4
deploy/v4.7.0/csi-snapshot-controller.yaml
View File

@ -63,3 +63,7 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
capabilities:
drop:
- ALL