Fix shield guard issues for KSM

kubernetes-csi · Jun 17, 2024 · d2ea6da · d2ea6da
1 parent ee65b1c
commit d2ea6da
Show file tree

Hide file tree

Showing 9 changed files with 60 additions and 0 deletions.
diff --git a/charts/latest/csi-driver-smb-v0.0.0.tgz b/charts/latest/csi-driver-smb-v0.0.0.tgz
diff --git a/charts/latest/csi-driver-smb/templates/csi-smb-controller.yaml b/charts/latest/csi-driver-smb/templates/csi-smb-controller.yaml
@@ -74,6 +74,9 @@ spec:
           resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
           securityContext:
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
         - name: liveness-probe
 {{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
           image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
@@ -92,6 +95,9 @@ spec:
           resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
           securityContext:
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
         - name: smb
 {{- if hasPrefix "/" .Values.image.smb.repository }}
           image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
@@ -124,6 +130,9 @@ spec:
           securityContext:
             privileged: true
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

diff --git a/charts/v1.13.0/csi-driver-smb-v1.13.0.tgz b/charts/v1.13.0/csi-driver-smb-v1.13.0.tgz
diff --git a/charts/v1.13.0/csi-driver-smb/templates/csi-smb-controller.yaml b/charts/v1.13.0/csi-driver-smb/templates/csi-smb-controller.yaml
@@ -74,6 +74,9 @@ spec:
           resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
           securityContext:
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
         - name: liveness-probe
 {{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
           image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
@@ -92,6 +95,9 @@ spec:
           resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
           securityContext:
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
         - name: smb
 {{- if hasPrefix "/" .Values.image.smb.repository }}
           image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
@@ -126,6 +132,9 @@ spec:
           securityContext:
             privileged: true
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

diff --git a/charts/v1.14.0/csi-driver-smb-v1.14.0.tgz b/charts/v1.14.0/csi-driver-smb-v1.14.0.tgz
diff --git a/charts/v1.14.0/csi-driver-smb/templates/csi-smb-controller.yaml b/charts/v1.14.0/csi-driver-smb/templates/csi-smb-controller.yaml
@@ -74,6 +74,9 @@ spec:
           resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
           securityContext:
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
         - name: liveness-probe
 {{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
           image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
@@ -92,6 +95,9 @@ spec:
           resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
           securityContext:
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
         - name: smb
 {{- if hasPrefix "/" .Values.image.smb.repository }}
           image: "{{ .Values.image.baseRepo }}{{ .Values.image.smb.repository }}:{{ .Values.image.smb.tag }}"
@@ -124,6 +130,9 @@ spec:
           securityContext:
             privileged: true
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

diff --git a/deploy/csi-smb-controller.yaml b/deploy/csi-smb-controller.yaml
@@ -55,6 +55,10 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
         - name: liveness-probe
           image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
           args:
@@ -72,6 +76,10 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
         - name: smb
           image: gcr.io/k8s-staging-sig-storage/smbplugin:canary
           imagePullPolicy: IfNotPresent
@@ -97,6 +105,9 @@ spec:
               value: unix:///csi/csi.sock
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

diff --git a/deploy/v1.13.0/csi-smb-controller.yaml b/deploy/v1.13.0/csi-smb-controller.yaml
@@ -55,6 +55,10 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
         - name: liveness-probe
           image: registry.k8s.io/sig-storage/livenessprobe:v2.11.0
           args:
@@ -72,6 +76,10 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
         - name: smb
           image: registry.k8s.io/sig-storage/smbplugin:v1.13.0
           imagePullPolicy: IfNotPresent
@@ -99,6 +107,9 @@ spec:
               value: unix:///csi/csi.sock
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

diff --git a/deploy/v1.14.0/csi-smb-controller.yaml b/deploy/v1.14.0/csi-smb-controller.yaml
@@ -55,6 +55,10 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
         - name: liveness-probe
           image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0
           args:
@@ -72,6 +76,10 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
         - name: smb
           image: registry.k8s.io/sig-storage/smbplugin:v1.14.0
           imagePullPolicy: IfNotPresent
@@ -97,6 +105,9 @@ spec:
               value: unix:///csi/csi.sock
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
           volumeMounts:
             - mountPath: /csi
               name: socket-dir