From 9b384ad3f939cb35f28e182816e6e571fbc7b4d0 Mon Sep 17 00:00:00 2001 From: John Naulty Date: Thu, 21 Nov 2019 22:54:46 -0800 Subject: [PATCH] Patch k8scsi sidecars for CVE-2019-11255 Changes: - Update container image versions that have resolve the CVE according to [kubernetes/kubernetes/issues/85233](https://github.com/kubernetes/kubernetes/issues/85233) - Update snapshotter RBAC policy - Update resizer RBAC policy - Updates external-provisioner RBAC policy for v1.3.1 image - Update helm charts with updated RBAC policy ref: #411 --- aws-ebs-csi-driver/templates/manifest.yaml | 9 +++++++++ aws-ebs-csi-driver/values.yaml | 6 +++--- deploy/kubernetes/base/controller.yaml | 2 +- deploy/kubernetes/base/rbac.yaml | 6 ++++++ .../overlays/alpha/controller_add_resizer.yaml | 2 +- .../overlays/alpha/controller_add_snapshotter.yaml | 2 +- .../kubernetes/overlays/alpha/rbac_add_snapshotter.yaml | 3 +++ 7 files changed, 24 insertions(+), 6 deletions(-) diff --git a/aws-ebs-csi-driver/templates/manifest.yaml b/aws-ebs-csi-driver/templates/manifest.yaml index 0a8d51bf6e..70726122c0 100644 --- a/aws-ebs-csi-driver/templates/manifest.yaml +++ b/aws-ebs-csi-driver/templates/manifest.yaml @@ -24,6 +24,12 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] @@ -116,6 +122,9 @@ rules: - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list", "watch", "update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete"] diff --git a/aws-ebs-csi-driver/values.yaml b/aws-ebs-csi-driver/values.yaml index 9ab3485883..608eb3f2fb 100644 --- a/aws-ebs-csi-driver/values.yaml +++ b/aws-ebs-csi-driver/values.yaml @@ -12,19 +12,19 @@ image: sidecars: provisionerImage: repository: quay.io/k8scsi/csi-provisioner - tag: "v1.3.0" + tag: "v1.3.1" attacherImage: repository: quay.io/k8scsi/csi-attacher tag: "v1.2.0" snapshotterImage: repository: quay.io/k8scsi/csi-snapshotter - tag: "v1.1.0" + tag: "v1.2.2" livenessProbeImage: repository: quay.io/k8scsi/livenessprobe tag: "v1.1.0" resizerImage: repository: quay.io/k8scsi/csi-resizer - tag: "v0.2.0" + tag: "v0.3.0" nodeDriverRegistrarImage: repository: quay.io/k8scsi/csi-node-driver-registrar tag: "v1.1.0" diff --git a/deploy/kubernetes/base/controller.yaml b/deploy/kubernetes/base/controller.yaml index 7b300ee39a..291eabf75b 100644 --- a/deploy/kubernetes/base/controller.yaml +++ b/deploy/kubernetes/base/controller.yaml @@ -60,7 +60,7 @@ spec: periodSeconds: 10 failureThreshold: 5 - name: csi-provisioner - image: quay.io/k8scsi/csi-provisioner:v1.3.0 + image: quay.io/k8scsi/csi-provisioner:v1.3.1 args: - --csi-address=$(ADDRESS) - --v=5 diff --git a/deploy/kubernetes/base/rbac.yaml b/deploy/kubernetes/base/rbac.yaml index 14ff12b47d..77ddd2b2bf 100644 --- a/deploy/kubernetes/base/rbac.yaml +++ b/deploy/kubernetes/base/rbac.yaml @@ -26,6 +26,12 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] diff --git a/deploy/kubernetes/overlays/alpha/controller_add_resizer.yaml b/deploy/kubernetes/overlays/alpha/controller_add_resizer.yaml index 23bf8790f3..db7f8002ad 100644 --- a/deploy/kubernetes/overlays/alpha/controller_add_resizer.yaml +++ b/deploy/kubernetes/overlays/alpha/controller_add_resizer.yaml @@ -8,7 +8,7 @@ spec: spec: containers: - name: csi-resizer - image: quay.io/k8scsi/csi-resizer:v0.2.0 + image: quay.io/k8scsi/csi-resizer:v0.3.0 args: - --csi-address=$(ADDRESS) - --v=5 diff --git a/deploy/kubernetes/overlays/alpha/controller_add_snapshotter.yaml b/deploy/kubernetes/overlays/alpha/controller_add_snapshotter.yaml index e96b9be094..d2ede77adb 100644 --- a/deploy/kubernetes/overlays/alpha/controller_add_snapshotter.yaml +++ b/deploy/kubernetes/overlays/alpha/controller_add_snapshotter.yaml @@ -8,7 +8,7 @@ spec: spec: containers: - name: csi-snapshotter - image: quay.io/k8scsi/csi-snapshotter:v1.1.0 + image: quay.io/k8scsi/csi-snapshotter:v1.2.2 args: - --csi-address=$(ADDRESS) - --connection-timeout=15s diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml b/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml index afafd245a4..46a25b4687 100644 --- a/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml +++ b/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml @@ -29,6 +29,9 @@ rules: - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list", "watch", "update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete"]