Skip to content

Commit dbc7bfc

Browse files
umagnusumagnus
committed
fix shield guard on csi controller and node
1 parent b117beb commit dbc7bfc

File tree

5 files changed

+63
-0
lines changed

5 files changed

+63
-0
lines changed

charts/latest/blob-csi-driver-v1.23.5.tgz

35 Bytes
Binary file not shown.

charts/latest/blob-csi-driver/templates/csi-blob-controller.yaml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,10 @@ spec:
8282
- mountPath: /csi
8383
name: socket-dir
8484
resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
85+
securityContext:
86+
capabilities:
87+
drop:
88+
- ALL
8589
- name: liveness-probe
8690
{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
8791
image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
@@ -97,6 +101,10 @@ spec:
97101
- name: socket-dir
98102
mountPath: /csi
99103
resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
104+
securityContext:
105+
capabilities:
106+
drop:
107+
- ALL
100108
- name: blob
101109
{{- if hasPrefix "/" .Values.image.blob.repository }}
102110
image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
@@ -169,6 +177,10 @@ spec:
169177
readOnly: true
170178
{{- end }}
171179
resources: {{- toYaml .Values.controller.resources.blob | nindent 12 }}
180+
securityContext:
181+
capabilities:
182+
drop:
183+
- ALL
172184
- name: csi-resizer
173185
{{- if hasPrefix "/" .Values.image.csiResizer.repository }}
174186
image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}"
@@ -189,6 +201,10 @@ spec:
189201
- name: socket-dir
190202
mountPath: /csi
191203
resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }}
204+
securityContext:
205+
capabilities:
206+
drop:
207+
- ALL
192208
volumes:
193209
- name: socket-dir
194210
emptyDir: {}

charts/latest/blob-csi-driver/templates/csi-blob-node.yaml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,9 @@ spec:
7878
- "/blobfuse-proxy/init.sh"
7979
securityContext:
8080
privileged: true
81+
capabilities:
82+
drop:
83+
- ALL
8184
env:
8285
- name: DEBIAN_FRONTEND
8386
value: "noninteractive"
@@ -121,6 +124,10 @@ spec:
121124
- --health-port={{ .Values.node.livenessProbe.healthPort }}
122125
- --v=2
123126
resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
127+
securityContext:
128+
capabilities:
129+
drop:
130+
- ALL
124131
- name: node-driver-registrar
125132
{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
126133
image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -150,6 +157,10 @@ spec:
150157
- name: registration-dir
151158
mountPath: /registration
152159
resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }}
160+
securityContext:
161+
capabilities:
162+
drop:
163+
- ALL
153164
- name: blob
154165
{{- if hasPrefix "/" .Values.image.blob.repository }}
155166
image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
@@ -215,6 +226,9 @@ spec:
215226
imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
216227
securityContext:
217228
privileged: true
229+
capabilities:
230+
drop:
231+
- ALL
218232
volumeMounts:
219233
- mountPath: /csi
220234
name: socket-dir
@@ -258,6 +272,9 @@ spec:
258272
imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
259273
securityContext:
260274
privileged: true
275+
capabilities:
276+
drop:
277+
- ALL
261278
resources: {{- toYaml .Values.node.resources.aznfswatchdog | nindent 12 }}
262279
volumeMounts:
263280
- mountPath: /opt/microsoft/aznfs/data

deploy/csi-blob-controller.yaml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,10 @@ spec:
5757
requests:
5858
cpu: 10m
5959
memory: 20Mi
60+
securityContext:
61+
capabilities:
62+
drop:
63+
- ALL
6064
- name: liveness-probe
6165
image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.10.0
6266
args:
@@ -72,6 +76,10 @@ spec:
7276
requests:
7377
cpu: 10m
7478
memory: 20Mi
79+
securityContext:
80+
capabilities:
81+
drop:
82+
- ALL
7583
- name: blob
7684
image: mcr.microsoft.com/oss/kubernetes-csi/blob-csi:v1.23.5
7785
imagePullPolicy: IfNotPresent
@@ -113,6 +121,10 @@ spec:
113121
requests:
114122
cpu: 10m
115123
memory: 20Mi
124+
securityContext:
125+
capabilities:
126+
drop:
127+
- ALL
116128
- name: csi-resizer
117129
image: mcr.microsoft.com/oss/kubernetes-csi/csi-resizer:v1.8.0
118130
args:
@@ -133,6 +145,10 @@ spec:
133145
requests:
134146
cpu: 10m
135147
memory: 20Mi
148+
securityContext:
149+
capabilities:
150+
drop:
151+
- ALL
136152
volumes:
137153
- name: socket-dir
138154
emptyDir: {}

deploy/csi-blob-node.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,9 @@ spec:
4646
- "/blobfuse-proxy/init.sh"
4747
securityContext:
4848
privileged: true
49+
capabilities:
50+
drop:
51+
- ALL
4952
env:
5053
- name: DEBIAN_FRONTEND
5154
value: "noninteractive"
@@ -89,6 +92,10 @@ spec:
8992
requests:
9093
cpu: 10m
9194
memory: 20Mi
95+
securityContext:
96+
capabilities:
97+
drop:
98+
- ALL
9299
- name: node-driver-registrar
93100
image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0
94101
args:
@@ -119,6 +126,10 @@ spec:
119126
requests:
120127
cpu: 10m
121128
memory: 20Mi
129+
securityContext:
130+
capabilities:
131+
drop:
132+
- ALL
122133
- name: blob
123134
image: mcr.microsoft.com/oss/kubernetes-csi/blob-csi:v1.23.5
124135
imagePullPolicy: IfNotPresent
@@ -156,6 +167,9 @@ spec:
156167
fieldPath: spec.nodeName
157168
securityContext:
158169
privileged: true
170+
capabilities:
171+
drop:
172+
- ALL
159173
volumeMounts:
160174
- mountPath: /csi
161175
name: socket-dir

0 commit comments

Comments
 (0)