fix shield guard

umagnus · umagnus · commit d8c278911fff · 2024-06-18T04:15:40.000Z
diff --git a/charts/latest/blob-csi-driver-v0.0.0.tgz b/charts/latest/blob-csi-driver-v0.0.0.tgz
diff --git a/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml b/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml
@@ -78,6 +78,9 @@ spec:
             - "/blobfuse-proxy/init.sh"
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+              - ALL
           env:
             - name: DEBIAN_FRONTEND
               value: "noninteractive"
@@ -123,6 +126,10 @@ spec:
             - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }}
             - --v=2
           resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
         - name: node-driver-registrar
 {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
           image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -152,6 +159,10 @@ spec:
             - name: registration-dir
               mountPath: /registration
           resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }}
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
         - name: blob
 {{- if hasPrefix "/" .Values.image.blob.repository }}
           image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
@@ -218,6 +229,9 @@ spec:
           imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+              - ALL
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
@@ -261,6 +275,9 @@ spec:
           imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+              - ALL
           resources: {{- toYaml .Values.node.resources.aznfswatchdog | nindent 12 }}
           volumeMounts:
             - mountPath: /opt/microsoft/aznfs/data
diff --git a/charts/v1.22.6/blob-csi-driver-v1.22.6.tgz b/charts/v1.22.6/blob-csi-driver-v1.22.6.tgz
diff --git a/charts/v1.22.6/blob-csi-driver/templates/csi-blob-node.yaml b/charts/v1.22.6/blob-csi-driver/templates/csi-blob-node.yaml
@@ -79,6 +79,9 @@ spec:
             - "/blobfuse-proxy/init.sh"
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+              - ALL
           env:
             - name: DEBIAN_FRONTEND
               value: "noninteractive"
@@ -119,6 +122,10 @@ spec:
             - --health-port={{ .Values.node.livenessProbe.healthPort }}
             - --v=2
           resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
         - name: node-driver-registrar
 {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
           image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -148,6 +155,10 @@ spec:
             - name: registration-dir
               mountPath: /registration
           resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }}
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
         - name: blob
 {{- if hasPrefix "/" .Values.image.blob.repository }}
           image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
@@ -216,6 +227,9 @@ spec:
           imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+              - ALL
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
@@ -259,6 +273,9 @@ spec:
           imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+              - ALL
           resources: {{- toYaml .Values.node.resources.aznfswatchdog | nindent 12 }}
           volumeMounts:
             - mountPath: /opt/microsoft/aznfs/data
diff --git a/charts/v1.24.1/blob-csi-driver-v1.24.1.tgz b/charts/v1.24.1/blob-csi-driver-v1.24.1.tgz
diff --git a/charts/v1.24.1/blob-csi-driver/templates/csi-blob-node.yaml b/charts/v1.24.1/blob-csi-driver/templates/csi-blob-node.yaml
@@ -78,6 +78,9 @@ spec:
             - "/blobfuse-proxy/init.sh"
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+              - ALL
           env:
             - name: DEBIAN_FRONTEND
               value: "noninteractive"
@@ -123,6 +126,10 @@ spec:
             - --health-port={{ .Values.node.livenessProbe.healthPort }}
             - --v=2
           resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
         - name: node-driver-registrar
 {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
           image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
@@ -152,6 +159,10 @@ spec:
             - name: registration-dir
               mountPath: /registration
           resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }}
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
         - name: blob
 {{- if hasPrefix "/" .Values.image.blob.repository }}
           image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
@@ -218,6 +229,9 @@ spec:
           imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+              - ALL
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
@@ -261,6 +275,9 @@ spec:
           imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+              - ALL
           resources: {{- toYaml .Values.node.resources.aznfswatchdog | nindent 12 }}
           volumeMounts:
             - mountPath: /opt/microsoft/aznfs/data
diff --git a/deploy/csi-blob-node.yaml b/deploy/csi-blob-node.yaml
@@ -46,6 +46,9 @@ spec:
             - "/blobfuse-proxy/init.sh"
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
           env:
             - name: DEBIAN_FRONTEND
               value: "noninteractive"
@@ -89,6 +92,10 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
         - name: node-driver-registrar
           image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.10.1
           args:
@@ -119,6 +126,10 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
         - name: blob
           image: mcr.microsoft.com/k8s/csi/blob-csi:latest
           imagePullPolicy: IfNotPresent
@@ -158,6 +169,9 @@ spec:
                   fieldPath: spec.nodeName
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
@@ -186,6 +200,9 @@ spec:
           imagePullPolicy: IfNotPresent
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
           resources:
             limits:
               memory: 100Mi
diff --git a/deploy/v1.22.6/csi-blob-node.yaml b/deploy/v1.22.6/csi-blob-node.yaml
@@ -46,6 +46,9 @@ spec:
             - "/blobfuse-proxy/init.sh"
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
           env:
             - name: DEBIAN_FRONTEND
               value: "noninteractive"
@@ -87,6 +90,10 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
         - name: node-driver-registrar
           image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0
           args:
@@ -117,6 +124,10 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
         - name: blob
           image: mcr.microsoft.com/oss/kubernetes-csi/blob-csi:v1.22.6
           imagePullPolicy: IfNotPresent
@@ -157,6 +168,9 @@ spec:
                   fieldPath: spec.nodeName
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
diff --git a/deploy/v1.24.1/csi-blob-node.yaml b/deploy/v1.24.1/csi-blob-node.yaml
@@ -46,6 +46,9 @@ spec:
             - "/blobfuse-proxy/init.sh"
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
           env:
             - name: DEBIAN_FRONTEND
               value: "noninteractive"
@@ -89,6 +92,10 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
         - name: node-driver-registrar
           image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.10.1
           args:
@@ -119,6 +126,10 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
         - name: blob
           image: mcr.microsoft.com/oss/kubernetes-csi/blob-csi:v1.24.1
           imagePullPolicy: IfNotPresent
@@ -158,6 +169,9 @@ spec:
                   fieldPath: spec.nodeName
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
@@ -186,6 +200,9 @@ spec:
           imagePullPolicy: IfNotPresent
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
           resources:
             limits:
               memory: 100Mi
