Merge branch 'kubernetes-sigs:master' into 1182-quote-extra-tags-arg

CHANGELOG-0.x.md

@@ -1,6 +1,6 @@
 # v1.5.1
 ## Notable changes
-* Address CVE ALAS-2021-1552
+* Address CVE ALAS-2021-1552, ALAS2-2022-1736, ALAS2-2022-1738, ALAS2-2022-1743
 
 # v1.5.0
 ### Misc.

Makefile

@@ -133,7 +133,7 @@ bin/kubeval: | /tmp/kubeval bin
 	@rm -rf /tmp/kubeval/*
 
 bin/mockgen: | bin
-	go get github.com/golang/mock/mockgen@v1.5.0
+	go install github.com/golang/mock/mockgen@v1.5.0
 
 bin/golangci-lint: | bin
 	echo "Installing golangci-lint..."

charts/aws-ebs-csi-driver/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Helm chart
 
+## v2.6.4
+
+* Remove exposure all secrets to external-snapshotter-role
+
 ## v2.6.3
 
 * Bump app/driver to version `v1.5.1`

charts/aws-ebs-csi-driver/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 1.5.1
 name: aws-ebs-csi-driver
 description: A Helm chart for AWS EBS CSI Driver
-version: 2.6.3
+version: 2.6.4
 kubeVersion: ">=1.17.0-0"
 home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
 sources:

charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml

@@ -9,9 +9,13 @@ rules:
   - apiGroups: [ "" ]
     resources: [ "events" ]
     verbs: [ "list", "watch", "create", "update", "patch" ]
-  - apiGroups: [ "" ]
-    resources: [ "secrets" ]
-    verbs: [ "get", "list" ]
+  # Secret permission is optional.
+  # Enable it if your driver needs secret.
+  # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass.
+  # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details.
+  # - apiGroups: [ "" ]
+  #   resources: [ "secrets" ]
+  #   verbs: [ "get", "list" ]
   - apiGroups: [ "snapshot.storage.k8s.io" ]
     resources: [ "volumesnapshotclasses" ]
     verbs: [ "get", "list", "watch" ]

examples/kubernetes/block-volume/README.md

@@ -1,39 +1,36 @@
-## Raw Block Volume
-This example shows how to consume a dynamically-provisioned EBS volume as a raw block device.
-
-### Edit [Persistence Volume Claim Spec](./specs/raw-claim.yaml)
-Make sure the `volumeMode` is `Block`.
-
-### Edit [Application Pod](./specs/pod.yaml)
-Make sure the pod is consuming the PVC with the defined name and `volumeDevices` is used instead of `volumeMounts`.
-
-### Deploy the Application
-```sh
-kubectl apply -f examples/kubernetes/block-volume/specs/storageclass.yaml
-kubectl apply -f examples/kubernetes/block-volume/specs/raw-claim.yaml
-kubectl apply -f examples/kubernetes/block-volume/specs/pod.yaml
-```
-
-### Access Block Device
-After the objects are created, verify that pod is running:
-
-```sh
-$ kubectl get pods
-NAME   READY   STATUS    RESTARTS   AGE
-app    1/1     Running   0          16m
-```
-Verify the device node is mounted inside the container:
-
-```sh
-$ kubectl exec -ti app -- ls -al /dev/xvda
-brw-rw----    1 root     disk      202, 23296 Mar 12 04:23 /dev/xvda
-```
-
-Write to the device using:
-
-```sh
-dd if=/dev/zero of=/dev/xvda bs=1024k count=100
-100+0 records in
-100+0 records out
-104857600 bytes (105 MB, 100 MiB) copied, 0.0492386 s, 2.1 GB/s
-```
+# Raw Block Volume
+
+## Prerequisites
+
+1. Kubernetes 1.13+ (CSI 1.0).
+2. The [aws-ebs-csi-driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) installed.
+
+## Usage
+
+This example shows you how to create and consume a dynamically-provisioned EBS volume as a raw block device.
+
+1. Deploy the provided pod on your cluster along with the `StorageClass` and `PersistentVolumeClaim`:
+    ```sh
+    $ kubectl apply -f manifests
+
+    pod/app created
+    persistentvolumeclaim/block-claim created
+    storageclass.storage.k8s.io/ebs-sc created
+    ```
+
+2. Validate the `PersistentVolumeClaim` is bound to your `PersistentVolume`.
+    ```sh
+    $ kubectl get pvc block-claim
+
+    NAME          STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
+    block-claim   Bound    pvc-2074bf0a-4726-44f2-bb7a-eb4292d4f40a   10Gi       RWO            ebs-sc
+    ```
+
+3. Cleanup resources:
+    ```sh
+    $ kubectl delete -f manifests
+
+    pod "app" deleted
+    persistentvolumeclaim "block-claim" deleted
+    storageclass.storage.k8s.io "ebs-sc" deleted
+    ```

examples/kubernetes/block-volume/specs/raw-claim.yaml → examples/kubernetes/block-volume/manifests/claim.yaml

@@ -9,4 +9,4 @@ spec:
   storageClassName: ebs-sc
   resources:
     requests:
-      storage: 10Gi
+      storage: 4Gi

examples/kubernetes/dynamic-provisioning/specs/storageclass.yaml → examples/kubernetes/block-volume/manifests/storageclass.yaml

@@ -1,5 +1,5 @@
-kind: StorageClass
 apiVersion: storage.k8s.io/v1
+kind: StorageClass
 metadata:
   name: ebs-sc
 provisioner: ebs.csi.aws.com

examples/kubernetes/dynamic-provisioning/README.md

@@ -1,30 +1,44 @@
 # Dynamic Volume Provisioning
-This example shows how to create a EBS volume and consume it from container dynamically.
 
 ## Prerequisites
 
 1. Kubernetes 1.13+ (CSI 1.0).
-
-2. The [aws-ebs-csi-driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) is installed.
+2. The [aws-ebs-csi-driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) installed.
 
 ## Usage
 
-1. Create a sample app along with the StorageClass and the PersistentVolumeClaim:
-```
-kubectl apply -f specs/
-```
+This example shows you how to dynamically provision an EBS volume in your cluster.
+
+1. Deploy the provided pod on your cluster along with the `StorageClass` and `PersistentVolumeClaim`:
+    ```sh
+    $ kubectl apply -f manifests
+
+    persistentvolumeclaim/ebs-claim created
+    pod/app created
+    storageclass.storage.k8s.io/ebs-sc created
+    ```
 
-2. Validate the volume was created and `volumeHandle` contains an EBS volumeID:
-```
-kubectl describe pv
-```
+2. Validate the `PersistentVolumeClaim` is bound to your `PersistentVolume`.
+    ```sh
+    $ kubectl get pvc ebs-claim
 
-3. Validate the pod successfully wrote data to the volume:
-```
-kubectl exec -it app cat /data/out.txt
-```
+    NAME        STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
+    ebs-claim   Bound    pvc-9124c6d0-382a-49c5-9494-bcb60f6c0c9c   4Gi        RWO            ebs-sc         30m
+    ```
+
+3. Validate the pod successfully wrote data to the dynamically provisioned volume:
+    ```sh
+    $ kubectl exec app -- cat /data/out.txt
+
+    Tue Feb 22 01:24:44 UTC 2022
+    ...
+    ```
 
 4. Cleanup resources:
-```
-kubectl delete -f specs/
-```
+    ```sh
+    $ kubectl delete -f manifests
+
+    persistentvolumeclaim "ebs-claim" deleted
+    pod "app" deleted
+    storageclass.storage.k8s.io "ebs-sc" deleted
+    ```

examples/kubernetes/snapshot/specs/app/claim.yaml → examples/kubernetes/dynamic-provisioning/manifests/claim.yaml

@@ -8,4 +8,4 @@ spec:
   storageClassName: ebs-sc
   resources:
     requests:
-      storage: 4Gi
+      storage: 4Gi

examples/kubernetes/dynamic-provisioning/manifests/pod.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: app
+spec:
+  containers:
+  - name: app
+    image: centos
+    command: ["/bin/sh"]
+    args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"]
+    volumeMounts:
+    - name: persistent-storage
+      mountPath: /data
+  volumes:
+  - name: persistent-storage
+    persistentVolumeClaim:
+      claimName: ebs-claim

examples/kubernetes/snapshot/specs/classes/storageclass.yaml → examples/kubernetes/dynamic-provisioning/manifests/storageclass.yaml

@@ -1,5 +1,5 @@
-kind: StorageClass
 apiVersion: storage.k8s.io/v1
+kind: StorageClass
 metadata:
   name: ebs-sc
 provisioner: ebs.csi.aws.com

examples/kubernetes/resizing/README.md

@@ -1,43 +1,52 @@
-## Volume Resizing
-This example shows how to resize EBS persistence volume using volume resizing features.
+# Volume Resizing
 
-**Note**
-1. CSI volume resizing is still alpha as of Kubernetes 1.15
-2. EBS has a limit of one volume modification every 6 hours. Refer to [EBS documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVolume.html) for more details.
+## Prerequisites
+
+1. Kubernetes 1.13+ (CSI 1.0).
+2. The [aws-ebs-csi-driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) installed.
 
 ## Usage
-1. Add `allowVolumeExpansion: true` in the StorageClass spec in [example manifest](./spec/example.yaml) to enable volume expansion. You can only expand a PVC if its storage class’s allowVolumeExpansion field is set to true
-
-2. Deploy the example:
-```sh
-kubectl apply -f specs/
-``` 
-
-3. Verify the volume is created and Pod is running:
-```sh
-kubectl get pv
-kubectl get po app
-```
-
-4. Expand the volume size by increasing the capacity in PVC's `spec.resources.requests.storage`:
-```sh
-kubectl edit pvc ebs-claim
-```
-Save the result at the end of the edit.
-
-5. Verify that both the persistence volume and persistence volume claim are resized:
-```sh
-kubectl get pv
-kubectl get pvc
-```
-You should see that both should have the new value relfected in the capacity fields.
-
-6. Verify that the application is continuously running without any interruption:
-```sh
-kubectl exec -it app cat /data/out.txt
-```
-
-7. Cleanup resources:
-```
-kubectl delete -f specs/
-```
+
+In this example, an EBS volume of `4Gi` is resized to `8Gi` using the volume resizing feature.
+
+1. Deploy the provided pod on your cluster along with the `StorageClass` and `PersistentVolumeClaim`:
+    ```sh
+    $ kubectl apply -f manifests
+
+    persistentvolumeclaim/ebs-claim created
+    pod/app created
+    storageclass.storage.k8s.io/resize-sc created
+    ```
+
+2. Validate the `PersistentVolumeClaim` is bound to your `PersistentVolume`.
+    ```sh
+    $ kubectl get pvc ebs-claim
+
+    NAME        STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
+    ebs-claim   Bound    pvc-b0f6d590-f4b3-4329-a118-49cd09f6993c   4Gi        RWO            resize-sc      28s
+    ```
+
+3. Expand the volume size by increasing the `capacity` specification in the `PersistentVolumeClaim`.
+    ```sh
+    $ export KUBE_EDITOR="nano" && kubectl edit pvc ebs-claim
+    ```
+
+4. Verify that both the persistence volume and persistence volume claim have been appropriately resized:
+    ```sh
+    $ kubectl get pv && kubectl get pvc
+
+    NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM               STORAGECLASS   
+    pvc-b0f6d590-f4b3-4329-a118-49cd09f6993c   8Gi        RWO            Delete           Bound    default/ebs-claim   resize-sc   
+
+    NAME        STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
+    ebs-claim   Bound    pvc-b0f6d590-f4b3-4329-a118-49cd09f6993c   8Gi        RWO            resize-sc      23m
+    ```
+
+5. Cleanup resources:
+    ```sh
+    $ kubectl delete -f manifests
+
+    persistentvolumeclaim "ebs-claim" deleted
+    pod "app" deleted
+    storageclass.storage.k8s.io "resize-sc" deleted
+    ```

examples/kubernetes/resizing/manifests/claim.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ebs-claim
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: resize-sc
+  resources:
+    requests:
+      storage: 4Gi

examples/kubernetes/resizing/manifests/pod.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: app
+spec:
+  containers:
+  - name: app
+    image: centos
+    command: ["/bin/sh"]
+    args: ["tail -f /dev/null"]
+    volumeMounts:
+    - name: persistent-storage
+      mountPath: /data
+  volumes:
+  - name: persistent-storage
+    persistentVolumeClaim:
+      claimName: ebs-claim

examples/kubernetes/resizing/manifests/storageclass.yaml

@@ -0,0 +1,6 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: resize-sc
+provisioner: ebs.csi.aws.com
+allowVolumeExpansion: true