diff --git a/charts/latest/blob-csi-driver-v0.0.0.tgz b/charts/latest/blob-csi-driver-v0.0.0.tgz index d3f552703..f7cd890b0 100644 Binary files a/charts/latest/blob-csi-driver-v0.0.0.tgz and b/charts/latest/blob-csi-driver-v0.0.0.tgz differ diff --git a/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml b/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml index db3be29c0..863e90ed3 100644 --- a/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml +++ b/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml @@ -78,6 +78,9 @@ spec: - "/blobfuse-proxy/init.sh" securityContext: privileged: true + capabilities: + drop: + - ALL env: - name: DEBIAN_FRONTEND value: "noninteractive" @@ -123,6 +126,10 @@ spec: - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }} - --v=2 resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" @@ -152,6 +159,10 @@ spec: - name: registration-dir mountPath: /registration resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: blob {{- if hasPrefix "/" .Values.image.blob.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}" @@ -218,6 +229,9 @@ spec: imagePullPolicy: {{ .Values.image.blob.pullPolicy }} securityContext: privileged: true + capabilities: + drop: + - ALL volumeMounts: - mountPath: /csi name: socket-dir @@ -261,6 +275,9 @@ spec: imagePullPolicy: {{ .Values.image.blob.pullPolicy }} securityContext: privileged: true + capabilities: + drop: + - ALL resources: {{- toYaml .Values.node.resources.aznfswatchdog | nindent 12 }} volumeMounts: - mountPath: /opt/microsoft/aznfs/data diff --git a/charts/v1.22.6/blob-csi-driver-v1.22.6.tgz b/charts/v1.22.6/blob-csi-driver-v1.22.6.tgz index 742ecdb71..7f20ff464 100644 Binary files a/charts/v1.22.6/blob-csi-driver-v1.22.6.tgz and b/charts/v1.22.6/blob-csi-driver-v1.22.6.tgz differ diff --git a/charts/v1.22.6/blob-csi-driver/templates/csi-blob-node.yaml b/charts/v1.22.6/blob-csi-driver/templates/csi-blob-node.yaml index 9fb01f844..00187ec95 100644 --- a/charts/v1.22.6/blob-csi-driver/templates/csi-blob-node.yaml +++ b/charts/v1.22.6/blob-csi-driver/templates/csi-blob-node.yaml @@ -79,6 +79,9 @@ spec: - "/blobfuse-proxy/init.sh" securityContext: privileged: true + capabilities: + drop: + - ALL env: - name: DEBIAN_FRONTEND value: "noninteractive" @@ -119,6 +122,10 @@ spec: - --health-port={{ .Values.node.livenessProbe.healthPort }} - --v=2 resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" @@ -148,6 +155,10 @@ spec: - name: registration-dir mountPath: /registration resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: blob {{- if hasPrefix "/" .Values.image.blob.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}" @@ -216,6 +227,9 @@ spec: imagePullPolicy: {{ .Values.image.blob.pullPolicy }} securityContext: privileged: true + capabilities: + drop: + - ALL volumeMounts: - mountPath: /csi name: socket-dir @@ -259,6 +273,9 @@ spec: imagePullPolicy: {{ .Values.image.blob.pullPolicy }} securityContext: privileged: true + capabilities: + drop: + - ALL resources: {{- toYaml .Values.node.resources.aznfswatchdog | nindent 12 }} volumeMounts: - mountPath: /opt/microsoft/aznfs/data diff --git a/charts/v1.24.1/blob-csi-driver-v1.24.1.tgz b/charts/v1.24.1/blob-csi-driver-v1.24.1.tgz index fae0f9b70..efe436a05 100644 Binary files a/charts/v1.24.1/blob-csi-driver-v1.24.1.tgz and b/charts/v1.24.1/blob-csi-driver-v1.24.1.tgz differ diff --git a/charts/v1.24.1/blob-csi-driver/templates/csi-blob-node.yaml b/charts/v1.24.1/blob-csi-driver/templates/csi-blob-node.yaml index fb74de39a..c9eaa4495 100644 --- a/charts/v1.24.1/blob-csi-driver/templates/csi-blob-node.yaml +++ b/charts/v1.24.1/blob-csi-driver/templates/csi-blob-node.yaml @@ -78,6 +78,9 @@ spec: - "/blobfuse-proxy/init.sh" securityContext: privileged: true + capabilities: + drop: + - ALL env: - name: DEBIAN_FRONTEND value: "noninteractive" @@ -123,6 +126,10 @@ spec: - --health-port={{ .Values.node.livenessProbe.healthPort }} - --v=2 resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar {{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" @@ -152,6 +159,10 @@ spec: - name: registration-dir mountPath: /registration resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }} + securityContext: + capabilities: + drop: + - ALL - name: blob {{- if hasPrefix "/" .Values.image.blob.repository }} image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}" @@ -218,6 +229,9 @@ spec: imagePullPolicy: {{ .Values.image.blob.pullPolicy }} securityContext: privileged: true + capabilities: + drop: + - ALL volumeMounts: - mountPath: /csi name: socket-dir @@ -261,6 +275,9 @@ spec: imagePullPolicy: {{ .Values.image.blob.pullPolicy }} securityContext: privileged: true + capabilities: + drop: + - ALL resources: {{- toYaml .Values.node.resources.aznfswatchdog | nindent 12 }} volumeMounts: - mountPath: /opt/microsoft/aznfs/data diff --git a/deploy/csi-blob-node.yaml b/deploy/csi-blob-node.yaml index ac7ac9d67..5e1b45a38 100644 --- a/deploy/csi-blob-node.yaml +++ b/deploy/csi-blob-node.yaml @@ -46,6 +46,9 @@ spec: - "/blobfuse-proxy/init.sh" securityContext: privileged: true + capabilities: + drop: + - ALL env: - name: DEBIAN_FRONTEND value: "noninteractive" @@ -89,6 +92,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.10.1 args: @@ -119,6 +126,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: blob image: mcr.microsoft.com/k8s/csi/blob-csi:latest imagePullPolicy: IfNotPresent @@ -158,6 +169,9 @@ spec: fieldPath: spec.nodeName securityContext: privileged: true + capabilities: + drop: + - ALL volumeMounts: - mountPath: /csi name: socket-dir @@ -186,6 +200,9 @@ spec: imagePullPolicy: IfNotPresent securityContext: privileged: true + capabilities: + drop: + - ALL resources: limits: memory: 100Mi diff --git a/deploy/v1.22.6/csi-blob-node.yaml b/deploy/v1.22.6/csi-blob-node.yaml index 6b4f4961a..db6bd39cc 100644 --- a/deploy/v1.22.6/csi-blob-node.yaml +++ b/deploy/v1.22.6/csi-blob-node.yaml @@ -46,6 +46,9 @@ spec: - "/blobfuse-proxy/init.sh" securityContext: privileged: true + capabilities: + drop: + - ALL env: - name: DEBIAN_FRONTEND value: "noninteractive" @@ -87,6 +90,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.8.0 args: @@ -117,6 +124,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: blob image: mcr.microsoft.com/oss/kubernetes-csi/blob-csi:v1.22.6 imagePullPolicy: IfNotPresent @@ -157,6 +168,9 @@ spec: fieldPath: spec.nodeName securityContext: privileged: true + capabilities: + drop: + - ALL volumeMounts: - mountPath: /csi name: socket-dir diff --git a/deploy/v1.24.1/csi-blob-node.yaml b/deploy/v1.24.1/csi-blob-node.yaml index c564f8c05..c86ecb665 100644 --- a/deploy/v1.24.1/csi-blob-node.yaml +++ b/deploy/v1.24.1/csi-blob-node.yaml @@ -46,6 +46,9 @@ spec: - "/blobfuse-proxy/init.sh" securityContext: privileged: true + capabilities: + drop: + - ALL env: - name: DEBIAN_FRONTEND value: "noninteractive" @@ -89,6 +92,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: node-driver-registrar image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.10.1 args: @@ -119,6 +126,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + capabilities: + drop: + - ALL - name: blob image: mcr.microsoft.com/oss/kubernetes-csi/blob-csi:v1.24.1 imagePullPolicy: IfNotPresent @@ -158,6 +169,9 @@ spec: fieldPath: spec.nodeName securityContext: privileged: true + capabilities: + drop: + - ALL volumeMounts: - mountPath: /csi name: socket-dir @@ -186,6 +200,9 @@ spec: imagePullPolicy: IfNotPresent securityContext: privileged: true + capabilities: + drop: + - ALL resources: limits: memory: 100Mi