From c130d0ddd81fc27ad260b5adb5a5051121915029 Mon Sep 17 00:00:00 2001 From: Mazen Selim Date: Fri, 11 Oct 2024 19:10:51 +0000 Subject: [PATCH 1/5] Update kubernetes to version 1.27.16 to patch CVE-2024-5321 --- go.mod | 2 +- vendor/modules.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 77c894a95..4a9b307a4 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( k8s.io/apimachinery v0.26.15 k8s.io/client-go v0.26.15 k8s.io/klog/v2 v2.90.1 - k8s.io/kubernetes v1.26.15 + k8s.io/kubernetes v1.27.16 k8s.io/mount-utils v0.26.15 k8s.io/pod-security-admission v0.26.15 ) diff --git a/vendor/modules.txt b/vendor/modules.txt index 0f3d8c9d1..36a527cc3 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1130,7 +1130,7 @@ k8s.io/kube-openapi/pkg/validation/spec ## explicit; go 1.19 k8s.io/kubectl/pkg/scale k8s.io/kubectl/pkg/util/podutils -# k8s.io/kubernetes v1.26.15 +# k8s.io/kubernetes v1.27.16 ## explicit; go 1.19 k8s.io/kubernetes/pkg/api/legacyscheme k8s.io/kubernetes/pkg/api/service From d0b0a839005f89339c56fbc7837dc85de130cc8d Mon Sep 17 00:00:00 2001 From: jrakas-dev Date: Tue, 22 Oct 2024 15:19:21 +0000 Subject: [PATCH 2/5] Post-release updates for release v2.0.9 --- charts/aws-efs-csi-driver/CHANGELOG.md | 2 ++ charts/aws-efs-csi-driver/Chart.yaml | 4 ++-- charts/aws-efs-csi-driver/values.yaml | 2 +- deploy/kubernetes/base/controller-deployment.yaml | 2 +- deploy/kubernetes/base/node-daemonset.yaml | 2 +- deploy/kubernetes/overlays/stable/ecr/kustomization.yaml | 2 +- deploy/kubernetes/overlays/stable/kustomization.yaml | 2 +- 7 files changed, 9 insertions(+), 7 deletions(-) diff --git a/charts/aws-efs-csi-driver/CHANGELOG.md b/charts/aws-efs-csi-driver/CHANGELOG.md index c49088ba7..b1857115c 100644 --- a/charts/aws-efs-csi-driver/CHANGELOG.md +++ b/charts/aws-efs-csi-driver/CHANGELOG.md @@ -1,4 +1,6 @@ # Helm chart +# v3.1.0 +* Bump app/driver version to `v2.0.9` # v3.0.9 * Bump app/driver version to `v2.0.8` # v3.0.8 diff --git a/charts/aws-efs-csi-driver/Chart.yaml b/charts/aws-efs-csi-driver/Chart.yaml index 8ce8cbb4f..1b4eb3381 100644 --- a/charts/aws-efs-csi-driver/Chart.yaml +++ b/charts/aws-efs-csi-driver/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: aws-efs-csi-driver -version: 3.0.9 -appVersion: 2.0.8 +version: 3.1.0 +appVersion: 2.0.9 kubeVersion: ">=1.17.0-0" description: "A Helm chart for AWS EFS CSI Driver" home: https://github.com/kubernetes-sigs/aws-efs-csi-driver diff --git a/charts/aws-efs-csi-driver/values.yaml b/charts/aws-efs-csi-driver/values.yaml index 4c6d19ec7..236c18e95 100644 --- a/charts/aws-efs-csi-driver/values.yaml +++ b/charts/aws-efs-csi-driver/values.yaml @@ -9,7 +9,7 @@ useFIPS: false image: repository: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver - tag: "v2.0.8" + tag: "v2.0.9" pullPolicy: IfNotPresent sidecars: diff --git a/deploy/kubernetes/base/controller-deployment.yaml b/deploy/kubernetes/base/controller-deployment.yaml index 92ebc32c0..7987de1a6 100644 --- a/deploy/kubernetes/base/controller-deployment.yaml +++ b/deploy/kubernetes/base/controller-deployment.yaml @@ -37,7 +37,7 @@ spec: - name: efs-plugin securityContext: privileged: true - image: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver:v2.0.8 + image: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver:v2.0.9 imagePullPolicy: IfNotPresent args: - --endpoint=$(CSI_ENDPOINT) diff --git a/deploy/kubernetes/base/node-daemonset.yaml b/deploy/kubernetes/base/node-daemonset.yaml index 79c76ce6d..4a91bfea1 100644 --- a/deploy/kubernetes/base/node-daemonset.yaml +++ b/deploy/kubernetes/base/node-daemonset.yaml @@ -48,7 +48,7 @@ spec: - name: efs-plugin securityContext: privileged: true - image: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver:v2.0.8 + image: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver:v2.0.9 imagePullPolicy: IfNotPresent args: - --endpoint=$(CSI_ENDPOINT) diff --git a/deploy/kubernetes/overlays/stable/ecr/kustomization.yaml b/deploy/kubernetes/overlays/stable/ecr/kustomization.yaml index 9d44d2d65..305f5d2db 100644 --- a/deploy/kubernetes/overlays/stable/ecr/kustomization.yaml +++ b/deploy/kubernetes/overlays/stable/ecr/kustomization.yaml @@ -5,7 +5,7 @@ bases: images: - name: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efs-csi-driver - newTag: v2.0.8 + newTag: v2.0.9 - name: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/livenessprobe newTag: v2.13.0-eks-1-30-8 diff --git a/deploy/kubernetes/overlays/stable/kustomization.yaml b/deploy/kubernetes/overlays/stable/kustomization.yaml index b88641bb8..ded1ff391 100644 --- a/deploy/kubernetes/overlays/stable/kustomization.yaml +++ b/deploy/kubernetes/overlays/stable/kustomization.yaml @@ -4,7 +4,7 @@ bases: - ../../base images: - name: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver - newTag: v2.0.8 + newTag: v2.0.9 - name: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe newTag: v2.13.0-eks-1-30-8 - name: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar From a44afc869eba76211669d966f8888eb2d4f9b8ec Mon Sep 17 00:00:00 2001 From: mkumar26_expedia Date: Fri, 25 Oct 2024 09:43:03 +0530 Subject: [PATCH 3/5] Make 'aws-efs-csi-driver' helm chart more configurable #1423 --- .../templates/controller-deployment.yaml | 9 ++ .../templates/node-daemonset.yaml | 9 ++ charts/aws-efs-csi-driver/values.yaml | 110 +++++++++--------- 3 files changed, 72 insertions(+), 56 deletions(-) diff --git a/charts/aws-efs-csi-driver/templates/controller-deployment.yaml b/charts/aws-efs-csi-driver/templates/controller-deployment.yaml index 39b60d31f..cbab8cd5c 100644 --- a/charts/aws-efs-csi-driver/templates/controller-deployment.yaml +++ b/charts/aws-efs-csi-driver/templates/controller-deployment.yaml @@ -78,6 +78,9 @@ spec: {{- end }} - --v={{ .Values.controller.logLevel }} - --delete-access-point-root-dir={{ hasKey .Values.controller "deleteAccessPointRootDir" | ternary .Values.controller.deleteAccessPointRootDir false }} + {{- range .Values.controller.additionalArgs }} + - {{ . }} + {{- end }} env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock @@ -134,6 +137,9 @@ spec: {{- if hasKey .Values.controller "leaderElectionLeaseDuration" }} - --leader-election-lease-duration={{ .Values.controller.leaderElectionLeaseDuration }} {{- end }} + {{- range .Values.sidecars.csiProvisioner.additionalArgs }} + - {{ . }} + {{- end }} env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock @@ -153,6 +159,9 @@ spec: args: - --csi-address=/csi/csi.sock - --health-port={{ .Values.controller.healthPort }} + {{- range .Values.sidecars.livenessProbe.additionalArgs }} + - {{ . }} + {{- end }} volumeMounts: - name: socket-dir mountPath: /csi diff --git a/charts/aws-efs-csi-driver/templates/node-daemonset.yaml b/charts/aws-efs-csi-driver/templates/node-daemonset.yaml index d1baa42e2..94ad40d21 100644 --- a/charts/aws-efs-csi-driver/templates/node-daemonset.yaml +++ b/charts/aws-efs-csi-driver/templates/node-daemonset.yaml @@ -80,6 +80,9 @@ spec: - --vol-metrics-opt-in={{ hasKey .Values.node "volMetricsOptIn" | ternary .Values.node.volMetricsOptIn false }} - --vol-metrics-refresh-period={{ hasKey .Values.node "volMetricsRefreshPeriod" | ternary .Values.node.volMetricsRefreshPeriod 240 }} - --vol-metrics-fs-rate-limit={{ hasKey .Values.node "volMetricsFsRateLimit" | ternary .Values.node.volMetricsFsRateLimit 5 }} + {{- range .Values.controller.additionalArgs }} + - {{ . }} + {{- end }} env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock @@ -131,6 +134,9 @@ spec: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --v={{ .Values.node.logLevel }} + {{- range .Values.sidecars.nodeDriverRegistrar.additionalArgs }} + - {{ . }} + {{- end }} env: - name: ADDRESS value: /csi/csi.sock @@ -159,6 +165,9 @@ spec: - --csi-address=/csi/csi.sock - --health-port={{ .Values.node.healthPort }} - --v={{ .Values.node.logLevel }} + {{- range .Values.sidecars.livenessProbe.additionalArgs }} + - {{ . }} + {{- end }} volumeMounts: - name: plugin-dir mountPath: /csi diff --git a/charts/aws-efs-csi-driver/values.yaml b/charts/aws-efs-csi-driver/values.yaml index 236c18e95..b7e24ff98 100644 --- a/charts/aws-efs-csi-driver/values.yaml +++ b/charts/aws-efs-csi-driver/values.yaml @@ -19,6 +19,7 @@ sidecars: tag: v2.13.0-eks-1-30-8 pullPolicy: IfNotPresent resources: {} + additionalArgs: [] # Additional arguments for the liveness probe container securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -28,6 +29,7 @@ sidecars: tag: v2.11.0-eks-1-30-8 pullPolicy: IfNotPresent resources: {} + additionalArgs: [] # Additional arguments for the node driver registrar container securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -37,6 +39,7 @@ sidecars: tag: v5.0.1-eks-1-30-8 pullPolicy: IfNotPresent resources: {} + additionalArgs: [] # Additional arguments for the csi provisioner container securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -55,13 +58,13 @@ controller: # If set, add pv/pvc metadata to plugin create requests as parameters. extraCreateMetadata: true # Add additional tags to access points - tags: - {} - # environment: prod - # region: us-east-1 + tags: {} + # environment: prod + # region: us-east-1 # Enable if you want the controller to also delete the # path on efs when deleteing an access point deleteAccessPointRootDir: false + additionalArgs: [] # Additional parameters provided by aws-efs-csi-driver controller podAnnotations: {} podLabel: {} hostNetwork: false @@ -69,25 +72,24 @@ controller: dnsPolicy: ClusterFirst dnsConfig: {} additionalLabels: {} - resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi nodeSelector: {} updateStrategy: {} tolerations: - - key: CriticalAddonsOnly - operator: Exists - - key: efs.csi.aws.com/agent-not-ready - operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - key: efs.csi.aws.com/agent-not-ready + operator: Exists affinity: {} env: [] volumes: [] @@ -134,53 +136,49 @@ node: volMetricsOptIn: false volMetricsRefreshPeriod: 240 volMetricsFsRateLimit: 5 - hostAliases: - {} - # For cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per - # https://docs.aws.amazon.com/efs/latest/ug/efs-different-vpc.html#wt6-efs-utils-step3 - # implementing the suggested solution found here: - # https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/240#issuecomment-676849346 - # EFS Vol ID, IP, Region - # "fs-01234567": - # ip: 10.10.2.2 - # region: us-east-2 + hostAliases: {} + # For cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per + # https://docs.aws.amazon.com/efs/latest/ug/efs-different-vpc.html#wt6-efs-utils-step3 + # implementing the suggested solution found here: + # https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/240#issuecomment-676849346 + # EFS Vol ID, IP, Region + # "fs-01234567": + # ip: 10.10.2.2 + # region: us-east-2 priorityClassName: system-node-critical dnsPolicy: ClusterFirst - dnsConfig: - {} - # Example config which uses the AWS nameservers - # dnsPolicy: "None" - # dnsConfig: - # nameservers: - # - 169.254.169.253 + dnsConfig: {} + # Example config which uses the AWS nameservers + # dnsPolicy: "None" + # dnsConfig: + # nameservers: + # - 169.254.169.253 podLabels: {} podAnnotations: {} additionalLabels: {} - resources: - {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi nodeSelector: {} - updateStrategy: - {} - # Override default strategy (RollingUpdate) to speed up deployment. - # This can be useful if helm timeouts are observed. - # type: OnDelete + updateStrategy: {} + # Override default strategy (RollingUpdate) to speed up deployment. + # This can be useful if helm timeouts are observed. + # type: OnDelete tolerations: - - operator: Exists + - operator: Exists affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate # Specifies whether a service account should be created serviceAccount: create: true From 0a1d291661c0e6d01bcbe0ffc4e97beeccdedd97 Mon Sep 17 00:00:00 2001 From: Mohit kumar Date: Fri, 25 Oct 2024 09:43:03 +0530 Subject: [PATCH 4/5] Make 'aws-efs-csi-driver' helm chart more configurable #1423 --- .../templates/controller-deployment.yaml | 9 ++ .../templates/node-daemonset.yaml | 9 ++ charts/aws-efs-csi-driver/values.yaml | 110 +++++++++--------- 3 files changed, 72 insertions(+), 56 deletions(-) diff --git a/charts/aws-efs-csi-driver/templates/controller-deployment.yaml b/charts/aws-efs-csi-driver/templates/controller-deployment.yaml index 39b60d31f..cbab8cd5c 100644 --- a/charts/aws-efs-csi-driver/templates/controller-deployment.yaml +++ b/charts/aws-efs-csi-driver/templates/controller-deployment.yaml @@ -78,6 +78,9 @@ spec: {{- end }} - --v={{ .Values.controller.logLevel }} - --delete-access-point-root-dir={{ hasKey .Values.controller "deleteAccessPointRootDir" | ternary .Values.controller.deleteAccessPointRootDir false }} + {{- range .Values.controller.additionalArgs }} + - {{ . }} + {{- end }} env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock @@ -134,6 +137,9 @@ spec: {{- if hasKey .Values.controller "leaderElectionLeaseDuration" }} - --leader-election-lease-duration={{ .Values.controller.leaderElectionLeaseDuration }} {{- end }} + {{- range .Values.sidecars.csiProvisioner.additionalArgs }} + - {{ . }} + {{- end }} env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock @@ -153,6 +159,9 @@ spec: args: - --csi-address=/csi/csi.sock - --health-port={{ .Values.controller.healthPort }} + {{- range .Values.sidecars.livenessProbe.additionalArgs }} + - {{ . }} + {{- end }} volumeMounts: - name: socket-dir mountPath: /csi diff --git a/charts/aws-efs-csi-driver/templates/node-daemonset.yaml b/charts/aws-efs-csi-driver/templates/node-daemonset.yaml index d1baa42e2..94ad40d21 100644 --- a/charts/aws-efs-csi-driver/templates/node-daemonset.yaml +++ b/charts/aws-efs-csi-driver/templates/node-daemonset.yaml @@ -80,6 +80,9 @@ spec: - --vol-metrics-opt-in={{ hasKey .Values.node "volMetricsOptIn" | ternary .Values.node.volMetricsOptIn false }} - --vol-metrics-refresh-period={{ hasKey .Values.node "volMetricsRefreshPeriod" | ternary .Values.node.volMetricsRefreshPeriod 240 }} - --vol-metrics-fs-rate-limit={{ hasKey .Values.node "volMetricsFsRateLimit" | ternary .Values.node.volMetricsFsRateLimit 5 }} + {{- range .Values.controller.additionalArgs }} + - {{ . }} + {{- end }} env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock @@ -131,6 +134,9 @@ spec: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --v={{ .Values.node.logLevel }} + {{- range .Values.sidecars.nodeDriverRegistrar.additionalArgs }} + - {{ . }} + {{- end }} env: - name: ADDRESS value: /csi/csi.sock @@ -159,6 +165,9 @@ spec: - --csi-address=/csi/csi.sock - --health-port={{ .Values.node.healthPort }} - --v={{ .Values.node.logLevel }} + {{- range .Values.sidecars.livenessProbe.additionalArgs }} + - {{ . }} + {{- end }} volumeMounts: - name: plugin-dir mountPath: /csi diff --git a/charts/aws-efs-csi-driver/values.yaml b/charts/aws-efs-csi-driver/values.yaml index 236c18e95..b7e24ff98 100644 --- a/charts/aws-efs-csi-driver/values.yaml +++ b/charts/aws-efs-csi-driver/values.yaml @@ -19,6 +19,7 @@ sidecars: tag: v2.13.0-eks-1-30-8 pullPolicy: IfNotPresent resources: {} + additionalArgs: [] # Additional arguments for the liveness probe container securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -28,6 +29,7 @@ sidecars: tag: v2.11.0-eks-1-30-8 pullPolicy: IfNotPresent resources: {} + additionalArgs: [] # Additional arguments for the node driver registrar container securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -37,6 +39,7 @@ sidecars: tag: v5.0.1-eks-1-30-8 pullPolicy: IfNotPresent resources: {} + additionalArgs: [] # Additional arguments for the csi provisioner container securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -55,13 +58,13 @@ controller: # If set, add pv/pvc metadata to plugin create requests as parameters. extraCreateMetadata: true # Add additional tags to access points - tags: - {} - # environment: prod - # region: us-east-1 + tags: {} + # environment: prod + # region: us-east-1 # Enable if you want the controller to also delete the # path on efs when deleteing an access point deleteAccessPointRootDir: false + additionalArgs: [] # Additional parameters provided by aws-efs-csi-driver controller podAnnotations: {} podLabel: {} hostNetwork: false @@ -69,25 +72,24 @@ controller: dnsPolicy: ClusterFirst dnsConfig: {} additionalLabels: {} - resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi nodeSelector: {} updateStrategy: {} tolerations: - - key: CriticalAddonsOnly - operator: Exists - - key: efs.csi.aws.com/agent-not-ready - operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - key: efs.csi.aws.com/agent-not-ready + operator: Exists affinity: {} env: [] volumes: [] @@ -134,53 +136,49 @@ node: volMetricsOptIn: false volMetricsRefreshPeriod: 240 volMetricsFsRateLimit: 5 - hostAliases: - {} - # For cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per - # https://docs.aws.amazon.com/efs/latest/ug/efs-different-vpc.html#wt6-efs-utils-step3 - # implementing the suggested solution found here: - # https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/240#issuecomment-676849346 - # EFS Vol ID, IP, Region - # "fs-01234567": - # ip: 10.10.2.2 - # region: us-east-2 + hostAliases: {} + # For cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per + # https://docs.aws.amazon.com/efs/latest/ug/efs-different-vpc.html#wt6-efs-utils-step3 + # implementing the suggested solution found here: + # https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/240#issuecomment-676849346 + # EFS Vol ID, IP, Region + # "fs-01234567": + # ip: 10.10.2.2 + # region: us-east-2 priorityClassName: system-node-critical dnsPolicy: ClusterFirst - dnsConfig: - {} - # Example config which uses the AWS nameservers - # dnsPolicy: "None" - # dnsConfig: - # nameservers: - # - 169.254.169.253 + dnsConfig: {} + # Example config which uses the AWS nameservers + # dnsPolicy: "None" + # dnsConfig: + # nameservers: + # - 169.254.169.253 podLabels: {} podAnnotations: {} additionalLabels: {} - resources: - {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi nodeSelector: {} - updateStrategy: - {} - # Override default strategy (RollingUpdate) to speed up deployment. - # This can be useful if helm timeouts are observed. - # type: OnDelete + updateStrategy: {} + # Override default strategy (RollingUpdate) to speed up deployment. + # This can be useful if helm timeouts are observed. + # type: OnDelete tolerations: - - operator: Exists + - operator: Exists affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate # Specifies whether a service account should be created serviceAccount: create: true From 7fe9da1fb14aaeb4ae4c8409d3cbd3624644f8ba Mon Sep 17 00:00:00 2001 From: Mazen Selim Date: Fri, 11 Oct 2024 19:10:51 +0000 Subject: [PATCH 5/5] Update kubernetes to version 1.27.16 to patch CVE-2024-5321 Make 'aws-efs-csi-driver' helm chart more configurable #1423 Make 'aws-efs-csi-driver' helm chart more configurable #1423 --- .../templates/controller-deployment.yaml | 9 ++ .../templates/node-daemonset.yaml | 9 ++ charts/aws-efs-csi-driver/values.yaml | 110 +++++++++--------- go.mod | 2 +- vendor/modules.txt | 2 +- 5 files changed, 74 insertions(+), 58 deletions(-) diff --git a/charts/aws-efs-csi-driver/templates/controller-deployment.yaml b/charts/aws-efs-csi-driver/templates/controller-deployment.yaml index 39b60d31f..cbab8cd5c 100644 --- a/charts/aws-efs-csi-driver/templates/controller-deployment.yaml +++ b/charts/aws-efs-csi-driver/templates/controller-deployment.yaml @@ -78,6 +78,9 @@ spec: {{- end }} - --v={{ .Values.controller.logLevel }} - --delete-access-point-root-dir={{ hasKey .Values.controller "deleteAccessPointRootDir" | ternary .Values.controller.deleteAccessPointRootDir false }} + {{- range .Values.controller.additionalArgs }} + - {{ . }} + {{- end }} env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock @@ -134,6 +137,9 @@ spec: {{- if hasKey .Values.controller "leaderElectionLeaseDuration" }} - --leader-election-lease-duration={{ .Values.controller.leaderElectionLeaseDuration }} {{- end }} + {{- range .Values.sidecars.csiProvisioner.additionalArgs }} + - {{ . }} + {{- end }} env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock @@ -153,6 +159,9 @@ spec: args: - --csi-address=/csi/csi.sock - --health-port={{ .Values.controller.healthPort }} + {{- range .Values.sidecars.livenessProbe.additionalArgs }} + - {{ . }} + {{- end }} volumeMounts: - name: socket-dir mountPath: /csi diff --git a/charts/aws-efs-csi-driver/templates/node-daemonset.yaml b/charts/aws-efs-csi-driver/templates/node-daemonset.yaml index d1baa42e2..94ad40d21 100644 --- a/charts/aws-efs-csi-driver/templates/node-daemonset.yaml +++ b/charts/aws-efs-csi-driver/templates/node-daemonset.yaml @@ -80,6 +80,9 @@ spec: - --vol-metrics-opt-in={{ hasKey .Values.node "volMetricsOptIn" | ternary .Values.node.volMetricsOptIn false }} - --vol-metrics-refresh-period={{ hasKey .Values.node "volMetricsRefreshPeriod" | ternary .Values.node.volMetricsRefreshPeriod 240 }} - --vol-metrics-fs-rate-limit={{ hasKey .Values.node "volMetricsFsRateLimit" | ternary .Values.node.volMetricsFsRateLimit 5 }} + {{- range .Values.controller.additionalArgs }} + - {{ . }} + {{- end }} env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock @@ -131,6 +134,9 @@ spec: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --v={{ .Values.node.logLevel }} + {{- range .Values.sidecars.nodeDriverRegistrar.additionalArgs }} + - {{ . }} + {{- end }} env: - name: ADDRESS value: /csi/csi.sock @@ -159,6 +165,9 @@ spec: - --csi-address=/csi/csi.sock - --health-port={{ .Values.node.healthPort }} - --v={{ .Values.node.logLevel }} + {{- range .Values.sidecars.livenessProbe.additionalArgs }} + - {{ . }} + {{- end }} volumeMounts: - name: plugin-dir mountPath: /csi diff --git a/charts/aws-efs-csi-driver/values.yaml b/charts/aws-efs-csi-driver/values.yaml index 236c18e95..b7e24ff98 100644 --- a/charts/aws-efs-csi-driver/values.yaml +++ b/charts/aws-efs-csi-driver/values.yaml @@ -19,6 +19,7 @@ sidecars: tag: v2.13.0-eks-1-30-8 pullPolicy: IfNotPresent resources: {} + additionalArgs: [] # Additional arguments for the liveness probe container securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -28,6 +29,7 @@ sidecars: tag: v2.11.0-eks-1-30-8 pullPolicy: IfNotPresent resources: {} + additionalArgs: [] # Additional arguments for the node driver registrar container securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -37,6 +39,7 @@ sidecars: tag: v5.0.1-eks-1-30-8 pullPolicy: IfNotPresent resources: {} + additionalArgs: [] # Additional arguments for the csi provisioner container securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -55,13 +58,13 @@ controller: # If set, add pv/pvc metadata to plugin create requests as parameters. extraCreateMetadata: true # Add additional tags to access points - tags: - {} - # environment: prod - # region: us-east-1 + tags: {} + # environment: prod + # region: us-east-1 # Enable if you want the controller to also delete the # path on efs when deleteing an access point deleteAccessPointRootDir: false + additionalArgs: [] # Additional parameters provided by aws-efs-csi-driver controller podAnnotations: {} podLabel: {} hostNetwork: false @@ -69,25 +72,24 @@ controller: dnsPolicy: ClusterFirst dnsConfig: {} additionalLabels: {} - resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi nodeSelector: {} updateStrategy: {} tolerations: - - key: CriticalAddonsOnly - operator: Exists - - key: efs.csi.aws.com/agent-not-ready - operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - key: efs.csi.aws.com/agent-not-ready + operator: Exists affinity: {} env: [] volumes: [] @@ -134,53 +136,49 @@ node: volMetricsOptIn: false volMetricsRefreshPeriod: 240 volMetricsFsRateLimit: 5 - hostAliases: - {} - # For cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per - # https://docs.aws.amazon.com/efs/latest/ug/efs-different-vpc.html#wt6-efs-utils-step3 - # implementing the suggested solution found here: - # https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/240#issuecomment-676849346 - # EFS Vol ID, IP, Region - # "fs-01234567": - # ip: 10.10.2.2 - # region: us-east-2 + hostAliases: {} + # For cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per + # https://docs.aws.amazon.com/efs/latest/ug/efs-different-vpc.html#wt6-efs-utils-step3 + # implementing the suggested solution found here: + # https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/240#issuecomment-676849346 + # EFS Vol ID, IP, Region + # "fs-01234567": + # ip: 10.10.2.2 + # region: us-east-2 priorityClassName: system-node-critical dnsPolicy: ClusterFirst - dnsConfig: - {} - # Example config which uses the AWS nameservers - # dnsPolicy: "None" - # dnsConfig: - # nameservers: - # - 169.254.169.253 + dnsConfig: {} + # Example config which uses the AWS nameservers + # dnsPolicy: "None" + # dnsConfig: + # nameservers: + # - 169.254.169.253 podLabels: {} podAnnotations: {} additionalLabels: {} - resources: - {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi nodeSelector: {} - updateStrategy: - {} - # Override default strategy (RollingUpdate) to speed up deployment. - # This can be useful if helm timeouts are observed. - # type: OnDelete + updateStrategy: {} + # Override default strategy (RollingUpdate) to speed up deployment. + # This can be useful if helm timeouts are observed. + # type: OnDelete tolerations: - - operator: Exists + - operator: Exists affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate # Specifies whether a service account should be created serviceAccount: create: true diff --git a/go.mod b/go.mod index 77c894a95..4a9b307a4 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( k8s.io/apimachinery v0.26.15 k8s.io/client-go v0.26.15 k8s.io/klog/v2 v2.90.1 - k8s.io/kubernetes v1.26.15 + k8s.io/kubernetes v1.27.16 k8s.io/mount-utils v0.26.15 k8s.io/pod-security-admission v0.26.15 ) diff --git a/vendor/modules.txt b/vendor/modules.txt index 0f3d8c9d1..36a527cc3 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1130,7 +1130,7 @@ k8s.io/kube-openapi/pkg/validation/spec ## explicit; go 1.19 k8s.io/kubectl/pkg/scale k8s.io/kubectl/pkg/util/podutils -# k8s.io/kubernetes v1.26.15 +# k8s.io/kubernetes v1.27.16 ## explicit; go 1.19 k8s.io/kubernetes/pkg/api/legacyscheme k8s.io/kubernetes/pkg/api/service