diff --git a/pkg/model/components/awsebscsidriver.go b/pkg/model/components/awsebscsidriver.go index 7028a04a30..6be3f83548 100644 --- a/pkg/model/components/awsebscsidriver.go +++ b/pkg/model/components/awsebscsidriver.go @@ -48,7 +48,7 @@ func (b *AWSEBSCSIDriverOptionsBuilder) BuildOptions(o interface{}) error { } if c.Version == nil { - version := "v1.8.0" + version := "v1.12.0" c.Version = fi.String(version) } diff --git a/tests/integration/update_cluster/additionalobjects/data/aws_launch_template_master-us-test-1a.masters.additionalobjects.example.com_user_data b/tests/integration/update_cluster/additionalobjects/data/aws_launch_template_master-us-test-1a.masters.additionalobjects.example.com_user_data index 00a6287611..3d99b96111 100644 --- a/tests/integration/update_cluster/additionalobjects/data/aws_launch_template_master-us-test-1a.masters.additionalobjects.example.com_user_data +++ b/tests/integration/update_cluster/additionalobjects/data/aws_launch_template_master-us-test-1a.masters.additionalobjects.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/additionalobjects/data/aws_launch_template_nodes.additionalobjects.example.com_user_data b/tests/integration/update_cluster/additionalobjects/data/aws_launch_template_nodes.additionalobjects.example.com_user_data index 9e6a28a6f4..9c84cb6444 100644 --- a/tests/integration/update_cluster/additionalobjects/data/aws_launch_template_nodes.additionalobjects.example.com_user_data +++ b/tests/integration/update_cluster/additionalobjects/data/aws_launch_template_nodes.additionalobjects.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/additionalobjects/data/aws_s3_object_additionalobjects.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/additionalobjects/data/aws_s3_object_additionalobjects.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index a04ae73c66..d0f233f193 100644 --- a/tests/integration/update_cluster/additionalobjects/data/aws_s3_object_additionalobjects.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/additionalobjects/data/aws_s3_object_additionalobjects.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=additionalobjects.example.com - --extra-tags=KubernetesCluster=additionalobjects.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,12 +732,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -720,6 +748,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -755,11 +788,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -773,7 +807,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/additionalobjects/data/aws_s3_object_additionalobjects.example.com-addons-bootstrap_content b/tests/integration/update_cluster/additionalobjects/data/aws_s3_object_additionalobjects.example.com-addons-bootstrap_content index 111c35bb2c..68cc2daf81 100644 --- a/tests/integration/update_cluster/additionalobjects/data/aws_s3_object_additionalobjects.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/additionalobjects/data/aws_s3_object_additionalobjects.example.com-addons-bootstrap_content @@ -55,7 +55,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 1dd94a933d41eac6748cf111a5042586e04b38fab6068a4c78e5fa66389497ff + manifestHash: c3b4c30452a4651271690f9e6d228ff9ad41509873e5606fb3f6e8b7268a5a0c name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/additionalobjects/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/additionalobjects/data/aws_s3_object_cluster-completed.spec_content index 519ae86d48..ce38d8e211 100644 --- a/tests/integration/update_cluster/additionalobjects/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/additionalobjects/data/aws_s3_object_cluster-completed.spec_content @@ -12,7 +12,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudProvider: aws clusterDNSDomain: cluster.local diff --git a/tests/integration/update_cluster/apiservernodes/cloudformation.json.extracted.yaml b/tests/integration/update_cluster/apiservernodes/cloudformation.json.extracted.yaml index 5107f9922d..b2149a1cc9 100644 --- a/tests/integration/update_cluster/apiservernodes/cloudformation.json.extracted.yaml +++ b/tests/integration/update_cluster/apiservernodes/cloudformation.json.extracted.yaml @@ -127,7 +127,7 @@ Resources.AWSEC2LaunchTemplateapiserverapiserversminimalexamplecom.Properties.La cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: @@ -303,7 +303,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalexamplecom.Properties. cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: @@ -574,7 +574,7 @@ Resources.AWSEC2LaunchTemplatenodesminimalexamplecom.Properties.LaunchTemplateDa cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/apiservernodes/data/aws_launch_template_apiserver.apiservers.minimal.example.com_user_data b/tests/integration/update_cluster/apiservernodes/data/aws_launch_template_apiserver.apiservers.minimal.example.com_user_data index f8bc6fbe79..46b5bd244a 100644 --- a/tests/integration/update_cluster/apiservernodes/data/aws_launch_template_apiserver.apiservers.minimal.example.com_user_data +++ b/tests/integration/update_cluster/apiservernodes/data/aws_launch_template_apiserver.apiservers.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/apiservernodes/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/apiservernodes/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index ad9bf52f17..c2b5177156 100644 --- a/tests/integration/update_cluster/apiservernodes/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/apiservernodes/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/apiservernodes/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/apiservernodes/data/aws_launch_template_nodes.minimal.example.com_user_data index 091fe9f1b4..0f883b0d16 100644 --- a/tests/integration/update_cluster/apiservernodes/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/apiservernodes/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/apiservernodes/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/apiservernodes/data/aws_s3_object_cluster-completed.spec_content index f6dc738da8..72153f33c5 100644 --- a/tests/integration/update_cluster/apiservernodes/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/apiservernodes/data/aws_s3_object_cluster-completed.spec_content @@ -12,7 +12,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudProvider: aws clusterDNSDomain: cluster.local diff --git a/tests/integration/update_cluster/apiservernodes/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/apiservernodes/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 18051fecd6..52893226b7 100644 --- a/tests/integration/update_cluster/apiservernodes/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/apiservernodes/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,12 +732,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -720,6 +748,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -755,11 +788,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -773,7 +807,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/apiservernodes/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/apiservernodes/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index 566d751e5e..2b77c6213f 100644 --- a/tests/integration/update_cluster/apiservernodes/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/apiservernodes/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -48,7 +48,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 7d5c47010ea2aa26cdc658167a360a26c60643e5c096acfa0efdcb26c2c736dc + manifestHash: ba7158ec0cc65552611b73242fe9a7dd1aecd4c7f167485cd536698f49455c15 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/complex/cloudformation.json.extracted.yaml b/tests/integration/update_cluster/complex/cloudformation.json.extracted.yaml index 0f13841f3d..57484639c7 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json.extracted.yaml +++ b/tests/integration/update_cluster/complex/cloudformation.json.extracted.yaml @@ -136,7 +136,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amasterscomplexexamplecom.Properties. cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: @@ -433,7 +433,7 @@ Resources.AWSEC2LaunchTemplatenodescomplexexamplecom.Properties.LaunchTemplateDa cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/complex/data/aws_launch_template_master-us-test-1a.masters.complex.example.com_user_data b/tests/integration/update_cluster/complex/data/aws_launch_template_master-us-test-1a.masters.complex.example.com_user_data index 893b84897b..57a8de9038 100644 --- a/tests/integration/update_cluster/complex/data/aws_launch_template_master-us-test-1a.masters.complex.example.com_user_data +++ b/tests/integration/update_cluster/complex/data/aws_launch_template_master-us-test-1a.masters.complex.example.com_user_data @@ -135,7 +135,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/complex/data/aws_launch_template_nodes.complex.example.com_user_data b/tests/integration/update_cluster/complex/data/aws_launch_template_nodes.complex.example.com_user_data index df0feed740..617832398d 100644 --- a/tests/integration/update_cluster/complex/data/aws_launch_template_nodes.complex.example.com_user_data +++ b/tests/integration/update_cluster/complex/data/aws_launch_template_nodes.complex.example.com_user_data @@ -135,7 +135,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/complex/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/complex/data/aws_s3_object_cluster-completed.spec_content index a77eeff132..c86ccb1c76 100644 --- a/tests/integration/update_cluster/complex/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/complex/data/aws_s3_object_cluster-completed.spec_content @@ -30,7 +30,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/complex/data/aws_s3_object_complex.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/complex/data/aws_s3_object_complex.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 23165d83c9..547108ac53 100644 --- a/tests/integration/update_cluster/complex/data/aws_s3_object_complex.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/complex/data/aws_s3_object_complex.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=complex.example.com - --extra-tags=KubernetesCluster=complex.example.com,Owner=John Doe,foo/bar=fib+baz + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,12 +732,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -720,6 +748,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -755,11 +788,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -773,7 +807,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/complex/data/aws_s3_object_complex.example.com-addons-bootstrap_content b/tests/integration/update_cluster/complex/data/aws_s3_object_complex.example.com-addons-bootstrap_content index 0058c6b96a..4bf77858f6 100644 --- a/tests/integration/update_cluster/complex/data/aws_s3_object_complex.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/complex/data/aws_s3_object_complex.example.com-addons-bootstrap_content @@ -69,7 +69,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 2eb2d4313db9d5c74802ab00a8dce902bd3ddaca3fc947bb8f2c5491c4393d79 + manifestHash: 76d9c4a6f64afd71894cf48619861c1eb1bfa27d1a50d440e3244d4bd53dc276 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/karpenter/data/aws_launch_template_karpenter-nodes-default.minimal.example.com_user_data b/tests/integration/update_cluster/karpenter/data/aws_launch_template_karpenter-nodes-default.minimal.example.com_user_data index 1bc170b7f7..d84219aafe 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_launch_template_karpenter-nodes-default.minimal.example.com_user_data +++ b/tests/integration/update_cluster/karpenter/data/aws_launch_template_karpenter-nodes-default.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/karpenter/data/aws_launch_template_karpenter-nodes-single-machinetype.minimal.example.com_user_data b/tests/integration/update_cluster/karpenter/data/aws_launch_template_karpenter-nodes-single-machinetype.minimal.example.com_user_data index 0ac827fcb6..f886e59764 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_launch_template_karpenter-nodes-single-machinetype.minimal.example.com_user_data +++ b/tests/integration/update_cluster/karpenter/data/aws_launch_template_karpenter-nodes-single-machinetype.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/karpenter/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/karpenter/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index 592ec2fd47..01aa3e4526 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/karpenter/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/karpenter/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/karpenter/data/aws_launch_template_nodes.minimal.example.com_user_data index 6668f76d14..7a15b6ffaa 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/karpenter/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content index c2b85764f5..b975638acb 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content @@ -12,7 +12,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index fc71f6c722..bb2ee09417 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -618,6 +630,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -667,6 +683,9 @@ spec: periodSeconds: 10 timeoutSeconds: 3 resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -691,6 +710,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-provisioner resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -712,6 +734,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-attacher resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -732,6 +757,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-resizer resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -745,7 +773,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe resources: {} @@ -757,7 +785,10 @@ spec: readOnly: true priorityClassName: system-cluster-critical securityContext: - fsGroup: 10001 + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa topologySpreadConstraints: - labelSelector: @@ -799,11 +830,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -817,7 +849,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index f258bb3958..c60b39aff7 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -62,7 +62,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 44d1bdde6aead8f31385caa491f59079d6953b4cfcdb05781ce5f19e9652f0aa + manifestHash: d98496d48c370dfe2b031df2bf3609cb5ffc99a678618ea54b5b5138a387545c name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index 751fbf0964..a9ef975542 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_launch_template_nodes.minimal.example.com_user_data index c436b87a9a..8c8321d8a8 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_cluster-completed.spec_content index 71bd8b3576..a8ad2a2261 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_cluster-completed.spec_content @@ -16,7 +16,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index d11a9fcf48..8edece02cd 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -618,6 +630,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -667,6 +683,9 @@ spec: periodSeconds: 10 timeoutSeconds: 3 resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -691,6 +710,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-provisioner resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -712,6 +734,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-attacher resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -732,6 +757,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-snapshotter resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -752,6 +780,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-resizer resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -765,7 +796,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe resources: {} @@ -777,7 +808,10 @@ spec: readOnly: true priorityClassName: system-cluster-critical securityContext: - fsGroup: 10001 + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa topologySpreadConstraints: - labelSelector: @@ -819,11 +853,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -837,7 +872,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index acc967b259..c5acf4cc84 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -127,7 +127,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: dbe5a01d6c2130aab1a0b92ead375051333108726c8f65a3f2a755dd1f457389 + manifestHash: d22528fa219becc9d58ea06b8f5e3a6c0c13907cfae224dc87f4dbea05eebd9f name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index e74d9618cb..df6ae10165 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_launch_template_nodes.minimal.example.com_user_data index 99581121f5..2886cd8e62 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_cluster-completed.spec_content index 45f12f26c7..02f20169f9 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_cluster-completed.spec_content @@ -16,7 +16,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 83dd9c39d0..b6f7371921 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -618,6 +630,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -667,6 +683,9 @@ spec: periodSeconds: 10 timeoutSeconds: 3 resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -691,6 +710,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-provisioner resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -712,6 +734,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-attacher resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -732,6 +757,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-snapshotter resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -752,6 +780,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-resizer resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -765,7 +796,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe resources: {} @@ -777,7 +808,10 @@ spec: readOnly: true priorityClassName: system-cluster-critical securityContext: - fsGroup: 10001 + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa topologySpreadConstraints: - labelSelector: @@ -819,11 +853,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -837,7 +872,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index d98e8a2792..4276bb6ac4 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -134,7 +134,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: bb6be3e164b1f5c0820836f28a1c9fd1410041774c26220e888f1167ced0324a + manifestHash: 5230f59251b647235a9ff170a895795fc841e02175e04dcfcc92dff442dedf2a name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index 5305ef4cc3..1b873f947f 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_launch_template_nodes.minimal.example.com_user_data index 13fab3cb7f..6842b4f11d 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_cluster-completed.spec_content index c4cb314775..3e26797762 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_cluster-completed.spec_content @@ -16,7 +16,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 83dd9c39d0..b6f7371921 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -618,6 +630,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -667,6 +683,9 @@ spec: periodSeconds: 10 timeoutSeconds: 3 resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -691,6 +710,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-provisioner resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -712,6 +734,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-attacher resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -732,6 +757,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-snapshotter resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -752,6 +780,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-resizer resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -765,7 +796,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe resources: {} @@ -777,7 +808,10 @@ spec: readOnly: true priorityClassName: system-cluster-critical securityContext: - fsGroup: 10001 + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa topologySpreadConstraints: - labelSelector: @@ -819,11 +853,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -837,7 +872,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index 010613c11c..6e92fe505f 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -134,7 +134,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: bb6be3e164b1f5c0820836f28a1c9fd1410041774c26220e888f1167ced0324a + manifestHash: 5230f59251b647235a9ff170a895795fc841e02175e04dcfcc92dff442dedf2a name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index 9db87bb66f..dd53fcaefd 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_launch_template_nodes.minimal.example.com_user_data index c5fcdda29d..d5c18190c4 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_cluster-completed.spec_content index 50f65595d4..1060de80cc 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_cluster-completed.spec_content @@ -16,7 +16,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 83dd9c39d0..b6f7371921 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -618,6 +630,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -667,6 +683,9 @@ spec: periodSeconds: 10 timeoutSeconds: 3 resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -691,6 +710,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-provisioner resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -712,6 +734,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-attacher resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -732,6 +757,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-snapshotter resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -752,6 +780,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-resizer resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -765,7 +796,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe resources: {} @@ -777,7 +808,10 @@ spec: readOnly: true priorityClassName: system-cluster-critical securityContext: - fsGroup: 10001 + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa topologySpreadConstraints: - labelSelector: @@ -819,11 +853,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -837,7 +872,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index 112d07fb7d..3bafc98a61 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -134,7 +134,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: bb6be3e164b1f5c0820836f28a1c9fd1410041774c26220e888f1167ced0324a + manifestHash: 5230f59251b647235a9ff170a895795fc841e02175e04dcfcc92dff442dedf2a name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index 246bf5ea4a..a299acd2ad 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_launch_template_nodes.minimal.example.com_user_data index 4246908161..a41c101c2c 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_cluster-completed.spec_content index 09c189e7a7..b82305717e 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_cluster-completed.spec_content @@ -16,7 +16,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 83dd9c39d0..b6f7371921 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -618,6 +630,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -667,6 +683,9 @@ spec: periodSeconds: 10 timeoutSeconds: 3 resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -691,6 +710,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-provisioner resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -712,6 +734,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-attacher resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -732,6 +757,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-snapshotter resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -752,6 +780,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-resizer resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -765,7 +796,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe resources: {} @@ -777,7 +808,10 @@ spec: readOnly: true priorityClassName: system-cluster-critical securityContext: - fsGroup: 10001 + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa topologySpreadConstraints: - labelSelector: @@ -819,11 +853,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -837,7 +872,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index faf24e4cfd..451fcf01d5 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -127,7 +127,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: bb6be3e164b1f5c0820836f28a1c9fd1410041774c26220e888f1167ced0324a + manifestHash: 5230f59251b647235a9ff170a895795fc841e02175e04dcfcc92dff442dedf2a name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/many-addons-ccm/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons-ccm/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index 82ef291ace..d21fcc0dcf 100644 --- a/tests/integration/update_cluster/many-addons-ccm/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons-ccm/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons-ccm/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons-ccm/data/aws_launch_template_nodes.minimal.example.com_user_data index c436b87a9a..8c8321d8a8 100644 --- a/tests/integration/update_cluster/many-addons-ccm/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons-ccm/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_cluster-completed.spec_content index 374c5cf7d4..0b88232c31 100644 --- a/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_cluster-completed.spec_content @@ -16,7 +16,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index a9fa972eb9..99ca41bbdc 100644 --- a/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,6 +732,9 @@ spec: image: registry.k8s.io/sig-storage/csi-snapshotter:v6.0.1 imagePullPolicy: IfNotPresent name: csi-snapshotter + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -719,12 +747,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -732,6 +763,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -767,11 +803,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -785,7 +822,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index d47ae215a9..c31700cc7a 100644 --- a/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -127,7 +127,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 24d24ec86df0dce7a2400c58758ec430786ca8fc35b8209683d0cdee961c3982 + manifestHash: 661d07408b14f375f94fedfb70702c1d2ffe25b4bbaa9661bd5dfd3dc4eda7bb name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/many-addons/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index 6328ffac92..9263ede81e 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons/data/aws_launch_template_nodes.minimal.example.com_user_data index 3749c36b60..8644ce85f6 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/many-addons/data/aws_s3_object_cluster-completed.spec_content index 0120f5496a..c15b1858f6 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/many-addons/data/aws_s3_object_cluster-completed.spec_content @@ -16,7 +16,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudProvider: aws clusterAutoscaler: diff --git a/tests/integration/update_cluster/many-addons/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/many-addons/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index a9fa972eb9..99ca41bbdc 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/many-addons/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,6 +732,9 @@ spec: image: registry.k8s.io/sig-storage/csi-snapshotter:v6.0.1 imagePullPolicy: IfNotPresent name: csi-snapshotter + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -719,12 +747,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -732,6 +763,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -767,11 +803,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -785,7 +822,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/many-addons/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/many-addons/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index ebbb52f224..a21facfef9 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/many-addons/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -120,7 +120,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 24d24ec86df0dce7a2400c58758ec430786ca8fc35b8209683d0cdee961c3982 + manifestHash: 661d07408b14f375f94fedfb70702c1d2ffe25b4bbaa9661bd5dfd3dc4eda7bb name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/minimal-1.23/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/minimal-1.23/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index ddf0df6fff..25c4e616df 100644 --- a/tests/integration/update_cluster/minimal-1.23/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/minimal-1.23/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/minimal-1.23/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/minimal-1.23/data/aws_launch_template_nodes.minimal.example.com_user_data index 50df48e71c..34b9f8c8e5 100644 --- a/tests/integration/update_cluster/minimal-1.23/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/minimal-1.23/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/minimal-1.23/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-1.23/data/aws_s3_object_cluster-completed.spec_content index 3714cfcaeb..86045b7cd4 100644 --- a/tests/integration/update_cluster/minimal-1.23/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-1.23/data/aws_s3_object_cluster-completed.spec_content @@ -12,7 +12,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudProvider: aws clusterDNSDomain: cluster.local diff --git a/tests/integration/update_cluster/minimal-1.23/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/minimal-1.23/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 0c6744d190..ef936aa2a7 100644 --- a/tests/integration/update_cluster/minimal-1.23/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/minimal-1.23/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,12 +732,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -720,6 +748,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -755,11 +788,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -773,7 +807,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-1.23/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-1.23/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index 516a37f170..f9e4e0829e 100644 --- a/tests/integration/update_cluster/minimal-1.23/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-1.23/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -55,7 +55,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 4bb90d3f9bb2d3fadb064a57e7fbf2254c967e82d263b4a197540980e3751e82 + manifestHash: 2353cd18b634768470d664b7e1d2f8bb01dac0b4384be752d49a85072b0507aa name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/minimal-1.24/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/minimal-1.24/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index 4ad642d20f..e371444f06 100644 --- a/tests/integration/update_cluster/minimal-1.24/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/minimal-1.24/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/minimal-1.24/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/minimal-1.24/data/aws_launch_template_nodes.minimal.example.com_user_data index 54a90d413d..b0fe2aa4ec 100644 --- a/tests/integration/update_cluster/minimal-1.24/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/minimal-1.24/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/minimal-1.24/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-1.24/data/aws_s3_object_cluster-completed.spec_content index 12188459fc..54e4fd8b22 100644 --- a/tests/integration/update_cluster/minimal-1.24/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-1.24/data/aws_s3_object_cluster-completed.spec_content @@ -12,7 +12,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/minimal-1.24/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/minimal-1.24/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 0c6744d190..ef936aa2a7 100644 --- a/tests/integration/update_cluster/minimal-1.24/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/minimal-1.24/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,12 +732,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -720,6 +748,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -755,11 +788,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -773,7 +807,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-1.24/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-1.24/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index de753e8293..4f1bae062d 100644 --- a/tests/integration/update_cluster/minimal-1.24/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-1.24/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -62,7 +62,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 4bb90d3f9bb2d3fadb064a57e7fbf2254c967e82d263b4a197540980e3751e82 + manifestHash: 2353cd18b634768470d664b7e1d2f8bb01dac0b4384be752d49a85072b0507aa name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/minimal-1.25/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/minimal-1.25/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index 79f2830750..bb7294b14b 100644 --- a/tests/integration/update_cluster/minimal-1.25/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/minimal-1.25/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/minimal-1.25/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/minimal-1.25/data/aws_launch_template_nodes.minimal.example.com_user_data index ecc4132a60..2c5c10b65a 100644 --- a/tests/integration/update_cluster/minimal-1.25/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/minimal-1.25/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/minimal-1.25/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-1.25/data/aws_s3_object_cluster-completed.spec_content index 843c072155..0eceeca93e 100644 --- a/tests/integration/update_cluster/minimal-1.25/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-1.25/data/aws_s3_object_cluster-completed.spec_content @@ -12,7 +12,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/minimal-1.25/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/minimal-1.25/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 0c6744d190..ef936aa2a7 100644 --- a/tests/integration/update_cluster/minimal-1.25/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/minimal-1.25/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,12 +732,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -720,6 +748,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -755,11 +788,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -773,7 +807,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-1.25/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-1.25/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index decf45c286..1ff157bb83 100644 --- a/tests/integration/update_cluster/minimal-1.25/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-1.25/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -62,7 +62,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 4bb90d3f9bb2d3fadb064a57e7fbf2254c967e82d263b4a197540980e3751e82 + manifestHash: 2353cd18b634768470d664b7e1d2f8bb01dac0b4384be752d49a85072b0507aa name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/minimal-1.26/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/minimal-1.26/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index ed7762afa9..dc438eb0ad 100644 --- a/tests/integration/update_cluster/minimal-1.26/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/minimal-1.26/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/minimal-1.26/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/minimal-1.26/data/aws_launch_template_nodes.minimal.example.com_user_data index 2895917e7e..b8263864c3 100644 --- a/tests/integration/update_cluster/minimal-1.26/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/minimal-1.26/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/minimal-1.26/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-1.26/data/aws_s3_object_cluster-completed.spec_content index a39ac30d8e..5d9b4914e5 100644 --- a/tests/integration/update_cluster/minimal-1.26/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-1.26/data/aws_s3_object_cluster-completed.spec_content @@ -12,7 +12,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/minimal-1.26/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/minimal-1.26/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 0c6744d190..ef936aa2a7 100644 --- a/tests/integration/update_cluster/minimal-1.26/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/minimal-1.26/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,12 +732,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -720,6 +748,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -755,11 +788,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -773,7 +807,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-1.26/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-1.26/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index a8b65c808f..b24305c245 100644 --- a/tests/integration/update_cluster/minimal-1.26/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-1.26/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -55,7 +55,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 4bb90d3f9bb2d3fadb064a57e7fbf2254c967e82d263b4a197540980e3751e82 + manifestHash: 2353cd18b634768470d664b7e1d2f8bb01dac0b4384be752d49a85072b0507aa name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data index 66b34917ee..ca6bd3e73d 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data +++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data index cbcd06cbd2..e4ed213a17 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data +++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_cluster-completed.spec_content index f8e4150eea..52f2f1adc5 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_cluster-completed.spec_content @@ -14,7 +14,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 1c0b9b5171..4821e69d0d 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -493,7 +493,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -510,6 +510,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -530,6 +531,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -537,15 +541,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -578,7 +590,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -596,7 +608,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -624,6 +636,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal-ipv6.example.com - --extra-tags=KubernetesCluster=minimal-ipv6.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE @@ -647,7 +660,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -662,6 +675,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -670,6 +686,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -686,6 +705,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -699,6 +721,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -711,12 +736,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -724,6 +752,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -759,11 +792,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -777,7 +811,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content index 200793e97a..bdb3bc91b1 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content @@ -111,7 +111,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 8c2247f2eb14e20019eb863a878c43884f43e4064906e3c7174b876eefc6584b + manifestHash: 5a251d8372600af7a6e82a17c0e866bc54ffc2d0870ef7bfc7581ee5ecf36ea4 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/cloudformation.json.extracted.yaml b/tests/integration/update_cluster/minimal-ipv6-cilium/cloudformation.json.extracted.yaml index 340034eb1d..b514719c03 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/cloudformation.json.extracted.yaml +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/cloudformation.json.extracted.yaml @@ -127,7 +127,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalipv6examplecom.Propert cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 @@ -400,7 +400,7 @@ Resources.AWSEC2LaunchTemplatenodesminimalipv6examplecom.Properties.LaunchTempla cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data index 183aa05d02..619a83d7eb 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data index 938c760e59..ac6674b431 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content index 6cb28b0c39..9d9c794c6d 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content @@ -14,7 +14,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 90fbd11616..34f579ebaf 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -493,7 +493,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -510,6 +510,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -530,6 +531,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -537,15 +541,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -578,7 +590,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -596,7 +608,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -624,6 +636,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal-ipv6.example.com - --extra-tags=KubernetesCluster=minimal-ipv6.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE @@ -647,7 +660,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -662,6 +675,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -670,6 +686,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -686,6 +705,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -699,6 +721,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -711,12 +736,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -724,6 +752,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -759,11 +792,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -777,7 +811,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content index c5c426ebcc..e532c967ff 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content @@ -63,7 +63,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: ebded4f6831ade6ca401ba8e0a0afe5fe62331b0b2d2fc9d8fdb87f9b6d9a0b8 + manifestHash: 3b7a5812c59970975a60b4dc5af1bba7b3fb50cd00b46303a8df02b62f43c543 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/minimal-ipv6-private/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data b/tests/integration/update_cluster/minimal-ipv6-private/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data index 50fe69bb20..b13dabdb6f 100644 --- a/tests/integration/update_cluster/minimal-ipv6-private/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data +++ b/tests/integration/update_cluster/minimal-ipv6-private/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6-private/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data b/tests/integration/update_cluster/minimal-ipv6-private/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data index e265eb1afc..9f2c89e551 100644 --- a/tests/integration/update_cluster/minimal-ipv6-private/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data +++ b/tests/integration/update_cluster/minimal-ipv6-private/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6-private/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-ipv6-private/data/aws_s3_object_cluster-completed.spec_content index 9299c54047..d3f6fe5043 100644 --- a/tests/integration/update_cluster/minimal-ipv6-private/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-ipv6-private/data/aws_s3_object_cluster-completed.spec_content @@ -14,7 +14,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6-private/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/minimal-ipv6-private/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 1c0b9b5171..4821e69d0d 100644 --- a/tests/integration/update_cluster/minimal-ipv6-private/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/minimal-ipv6-private/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -493,7 +493,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -510,6 +510,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -530,6 +531,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -537,15 +541,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -578,7 +590,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -596,7 +608,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -624,6 +636,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal-ipv6.example.com - --extra-tags=KubernetesCluster=minimal-ipv6.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE @@ -647,7 +660,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -662,6 +675,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -670,6 +686,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -686,6 +705,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -699,6 +721,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -711,12 +736,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -724,6 +752,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -759,11 +792,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -777,7 +811,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-ipv6-private/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-ipv6-private/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content index fee3c751df..77c9fbcb97 100644 --- a/tests/integration/update_cluster/minimal-ipv6-private/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-ipv6-private/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content @@ -62,7 +62,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 8c2247f2eb14e20019eb863a878c43884f43e4064906e3c7174b876eefc6584b + manifestHash: 5a251d8372600af7a6e82a17c0e866bc54ffc2d0870ef7bfc7581ee5ecf36ea4 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json.extracted.yaml b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json.extracted.yaml index 340034eb1d..b514719c03 100644 --- a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json.extracted.yaml +++ b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json.extracted.yaml @@ -127,7 +127,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalipv6examplecom.Propert cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 @@ -400,7 +400,7 @@ Resources.AWSEC2LaunchTemplatenodesminimalipv6examplecom.Properties.LaunchTempla cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data b/tests/integration/update_cluster/minimal-ipv6/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data index 183aa05d02..619a83d7eb 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data b/tests/integration/update_cluster/minimal-ipv6/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data index 938c760e59..ac6674b431 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-ipv6/data/aws_s3_object_cluster-completed.spec_content index f1dfa30e45..0d899d9170 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_s3_object_cluster-completed.spec_content @@ -14,7 +14,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true nodeIPFamilies: - ipv6 diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/minimal-ipv6/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 90fbd11616..34f579ebaf 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -493,7 +493,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -510,6 +510,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -530,6 +531,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -537,15 +541,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -578,7 +590,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -596,7 +608,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -624,6 +636,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal-ipv6.example.com - --extra-tags=KubernetesCluster=minimal-ipv6.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE @@ -647,7 +660,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -662,6 +675,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -670,6 +686,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -686,6 +705,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -699,6 +721,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -711,12 +736,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -724,6 +752,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -759,11 +792,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -777,7 +811,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-ipv6/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content index cab06fde5e..445506452a 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content @@ -55,7 +55,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: ebded4f6831ade6ca401ba8e0a0afe5fe62331b0b2d2fc9d8fdb87f9b6d9a0b8 + manifestHash: 3b7a5812c59970975a60b4dc5af1bba7b3fb50cd00b46303a8df02b62f43c543 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_master-us-test-1a.masters.minimal-warmpool.example.com_user_data b/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_master-us-test-1a.masters.minimal-warmpool.example.com_user_data index 7343924715..c116e59e13 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_master-us-test-1a.masters.minimal-warmpool.example.com_user_data +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_master-us-test-1a.masters.minimal-warmpool.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data b/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data index 7c0688ad2d..58a5e65a40 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: @@ -166,7 +166,7 @@ CloudProvider: aws ConfigBase: memfs://clusters.example.com/minimal-warmpool.example.com InstanceGroupName: nodes InstanceGroupRole: Node -NodeupConfigHash: EOCTeNdcxDgQ0oeSjIsxaSH+KYj0bCVcAXqffSNWDr8= +NodeupConfigHash: KBUetKApv4MyDXF/ofNogmU3zvOvd5s7es2L2d+m1m4= __EOF_KUBE_ENV diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content index 9885830427..8ee1de4a11 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content @@ -12,7 +12,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudProvider: aws clusterDNSDomain: cluster.local diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index a811f3aa08..b05913311b 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal-warmpool.example.com - --extra-tags=KubernetesCluster=minimal-warmpool.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,12 +732,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -720,6 +748,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -755,11 +788,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -773,7 +807,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-bootstrap_content index 08ca908880..4747d3b9a1 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-bootstrap_content @@ -56,7 +56,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 809909a35545f40c3a7c54cf1ff2e08ee8887d274e9e59c300fd30549b36215e + manifestHash: 8b90941c7c39242d3d2a1cab2e844b4bc755f9754400ce8ef0cbddf885c861ef name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_nodeupconfig-nodes_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_nodeupconfig-nodes_content index c1100f6276..b1c4e1ed87 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_nodeupconfig-nodes_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_nodeupconfig-nodes_content @@ -70,6 +70,6 @@ warmPoolImages: - quay.io/cilium/cilium:v1.11.8 - quay.io/cilium/operator:v1.11.8 - registry.k8s.io/kube-proxy:v1.21.0 -- registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 +- registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 - registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 -- registry.k8s.io/sig-storage/livenessprobe:v2.5.0 +- registry.k8s.io/sig-storage/livenessprobe:v2.6.0 diff --git a/tests/integration/update_cluster/privatecalico/data/aws_launch_template_master-us-test-1a.masters.privatecalico.example.com_user_data b/tests/integration/update_cluster/privatecalico/data/aws_launch_template_master-us-test-1a.masters.privatecalico.example.com_user_data index 10a3793160..874451fc62 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_launch_template_master-us-test-1a.masters.privatecalico.example.com_user_data +++ b/tests/integration/update_cluster/privatecalico/data/aws_launch_template_master-us-test-1a.masters.privatecalico.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/privatecalico/data/aws_launch_template_nodes.privatecalico.example.com_user_data b/tests/integration/update_cluster/privatecalico/data/aws_launch_template_nodes.privatecalico.example.com_user_data index d5c18fba7c..2def0806e4 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_launch_template_nodes.privatecalico.example.com_user_data +++ b/tests/integration/update_cluster/privatecalico/data/aws_launch_template_nodes.privatecalico.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_cluster-completed.spec_content index 4454520e56..5db2b439f1 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_cluster-completed.spec_content @@ -14,7 +14,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 1bf9f30373..fed7c66cd4 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=privatecalico.example.com - --extra-tags=KubernetesCluster=privatecalico.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,12 +732,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -720,6 +748,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -755,11 +788,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -773,7 +807,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content index ae624c2cca..f80d5686fe 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content @@ -111,7 +111,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 853e9f4d87a245ea71d91f89d38b23b295b7c7375df57c0094697093dbc89d00 + manifestHash: 30323bd98f5eba2ca13818534d43921937d8982ebc4346fce4620bdc6f4ac148 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/privatecanal/data/aws_launch_template_master-us-test-1a.masters.privatecanal.example.com_user_data b/tests/integration/update_cluster/privatecanal/data/aws_launch_template_master-us-test-1a.masters.privatecanal.example.com_user_data index fed3812fe3..5eeb78fd20 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_launch_template_master-us-test-1a.masters.privatecanal.example.com_user_data +++ b/tests/integration/update_cluster/privatecanal/data/aws_launch_template_master-us-test-1a.masters.privatecanal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/privatecanal/data/aws_launch_template_nodes.privatecanal.example.com_user_data b/tests/integration/update_cluster/privatecanal/data/aws_launch_template_nodes.privatecanal.example.com_user_data index 8cc7b83a1a..571837c7cc 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_launch_template_nodes.privatecanal.example.com_user_data +++ b/tests/integration/update_cluster/privatecanal/data/aws_launch_template_nodes.privatecanal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_cluster-completed.spec_content index 4ffae290ba..82243ddf73 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_cluster-completed.spec_content @@ -14,7 +14,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 96e154aeb4..96017bf877 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=privatecanal.example.com - --extra-tags=KubernetesCluster=privatecanal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,12 +732,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -720,6 +748,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -755,11 +788,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -773,7 +807,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-bootstrap_content index cbf85e0d90..1464780ba2 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-bootstrap_content @@ -111,7 +111,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 90199041bdd8a8f93b2179f555663ca96c94518349417954285dcec823a3f7ad + manifestHash: b245f6af728f8f6d427769ec230d6f48585664a2a909d135d8ef2802f440c19d name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json.extracted.yaml b/tests/integration/update_cluster/privatecilium2/cloudformation.json.extracted.yaml index 23451fa8c9..60a2a40470 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json.extracted.yaml +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json.extracted.yaml @@ -127,7 +127,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivateciliumexamplecom.Prope cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: @@ -398,7 +398,7 @@ Resources.AWSEC2LaunchTemplatenodesprivateciliumexamplecom.Properties.LaunchTemp cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_launch_template_master-us-test-1a.masters.privatecilium.example.com_user_data b/tests/integration/update_cluster/privatecilium2/data/aws_launch_template_master-us-test-1a.masters.privatecilium.example.com_user_data index 3ca539e1e2..4572719e18 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_launch_template_master-us-test-1a.masters.privatecilium.example.com_user_data +++ b/tests/integration/update_cluster/privatecilium2/data/aws_launch_template_master-us-test-1a.masters.privatecilium.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_launch_template_nodes.privatecilium.example.com_user_data b/tests/integration/update_cluster/privatecilium2/data/aws_launch_template_nodes.privatecilium.example.com_user_data index 765d0e881b..a3adeda0eb 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_launch_template_nodes.privatecilium.example.com_user_data +++ b/tests/integration/update_cluster/privatecilium2/data/aws_launch_template_nodes.privatecilium.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content index 585c1696b6..6ccb319cde 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content @@ -16,7 +16,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 4c433d5254..c10da88f93 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=privatecilium.example.com - --extra-tags=KubernetesCluster=privatecilium.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,12 +732,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -720,6 +748,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -755,11 +788,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -773,7 +807,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content index a8aff098ee..cd302a7e32 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content @@ -77,7 +77,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 45da9e454f215b88a24fabeb8961626e98c2bef0fa4a9f5f2d077e2da9d8d791 + manifestHash: 4213545841a7284f916f72236a63b77f4d669bdf88a6dfdc6080b9bce0dc0f06 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/privateflannel/data/aws_launch_template_master-us-test-1a.masters.privateflannel.example.com_user_data b/tests/integration/update_cluster/privateflannel/data/aws_launch_template_master-us-test-1a.masters.privateflannel.example.com_user_data index a31eb8e868..ea097cb2fe 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_launch_template_master-us-test-1a.masters.privateflannel.example.com_user_data +++ b/tests/integration/update_cluster/privateflannel/data/aws_launch_template_master-us-test-1a.masters.privateflannel.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/privateflannel/data/aws_launch_template_nodes.privateflannel.example.com_user_data b/tests/integration/update_cluster/privateflannel/data/aws_launch_template_nodes.privateflannel.example.com_user_data index b4b0eb9610..6360e7076a 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_launch_template_nodes.privateflannel.example.com_user_data +++ b/tests/integration/update_cluster/privateflannel/data/aws_launch_template_nodes.privateflannel.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/privateflannel/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privateflannel/data/aws_s3_object_cluster-completed.spec_content index 805b617d06..8808976b36 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privateflannel/data/aws_s3_object_cluster-completed.spec_content @@ -14,7 +14,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/privateflannel/data/aws_s3_object_privateflannel.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/privateflannel/data/aws_s3_object_privateflannel.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index 314275a864..40de3e4810 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_s3_object_privateflannel.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/privateflannel/data/aws_s3_object_privateflannel.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -622,6 +634,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=privateflannel.example.com - --extra-tags=KubernetesCluster=privateflannel.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: key: access_key name: aws-secret optional: true - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -666,6 +682,9 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -682,6 +701,9 @@ spec: image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent name: csi-provisioner + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -695,6 +717,9 @@ spec: image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent name: csi-attacher + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -707,12 +732,15 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 imagePullPolicy: IfNotPresent name: csi-resizer + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe volumeMounts: @@ -720,6 +748,11 @@ spec: name: socket-dir nodeSelector: null priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa tolerations: - operator: Exists @@ -755,11 +788,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -773,7 +807,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/privateflannel/data/aws_s3_object_privateflannel.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privateflannel/data/aws_s3_object_privateflannel.example.com-addons-bootstrap_content index 80a869b879..b7e10aae3d 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_s3_object_privateflannel.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privateflannel/data/aws_s3_object_privateflannel.example.com-addons-bootstrap_content @@ -107,7 +107,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 41a7b8bd924e91ac42d61a71908578205d6292c973f53062f055ffbc3cbf8ba9 + manifestHash: 7395cd1b0f44769155a89e91c710199dd5fe4551cd77c464506123bfd6b72b1b name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index 6b513a6fa6..b49512efb1 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_nodes.minimal.example.com_user_data index 22544d4caa..15e1bffabc 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -126,7 +126,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_object_cluster-completed.spec_content index f3b757f540..262cf41174 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_object_cluster-completed.spec_content @@ -12,7 +12,7 @@ spec: cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.8.0 + version: v1.12.0 manageStorageClasses: true cloudControllerManager: allocateNodeCIDRs: true diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content index fc71f6c722..bb2ee09417 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_object_minimal.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller-sa namespace: kube-system @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-attacher-role rules: @@ -81,7 +81,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-provisioner-role rules: @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-resizer-role rules: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-external-snapshotter-role rules: @@ -309,7 +309,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-attacher-binding roleRef: @@ -332,7 +332,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-provisioner-binding roleRef: @@ -355,7 +355,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-resizer-binding roleRef: @@ -378,7 +378,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-snapshotter-binding roleRef: @@ -442,7 +442,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node-sa namespace: kube-system @@ -458,7 +458,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-node namespace: kube-system @@ -475,7 +475,7 @@ spec: app: ebs-csi-node app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: containers: @@ -491,7 +491,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -508,6 +508,7 @@ spec: protocol: TCP securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional @@ -528,6 +529,9 @@ spec: image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 imagePullPolicy: IfNotPresent name: node-driver-registrar + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir @@ -535,15 +539,23 @@ spec: name: registration-dir - args: - --csi-address=/csi/csi.sock - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /csi name: plugin-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 serviceAccountName: ebs-csi-node-sa tolerations: - operator: Exists @@ -576,7 +588,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system @@ -594,7 +606,7 @@ spec: app: ebs-csi-controller app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 kops.k8s.io/managed-by: kops spec: affinity: @@ -618,6 +630,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id=minimal.example.com - --extra-tags=KubernetesCluster=minimal.example.com + - --http-endpoint=0.0.0.0:3301 - --v=5 env: - name: CSI_ENDPOINT @@ -643,7 +656,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.8.0 + image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.12.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 @@ -658,6 +671,9 @@ spec: - containerPort: 9808 name: healthz protocol: TCP + - containerPort: 3301 + name: metrics + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -667,6 +683,9 @@ spec: periodSeconds: 10 timeoutSeconds: 3 resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -691,6 +710,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-provisioner resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -712,6 +734,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-attacher resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -732,6 +757,9 @@ spec: imagePullPolicy: IfNotPresent name: csi-resizer resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir @@ -745,7 +773,7 @@ spec: value: arn:aws-test:iam::123456789012:role/ebs-csi-controller-sa.kube-system.sa.minimal.example.com - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/amazonaws.com/token - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent name: liveness-probe resources: {} @@ -757,7 +785,10 @@ spec: readOnly: true priorityClassName: system-cluster-critical securityContext: - fsGroup: 10001 + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: ebs-csi-controller-sa topologySpreadConstraints: - labelSelector: @@ -799,11 +830,12 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs.csi.aws.com spec: attachRequired: true + fsGroupPolicy: File podInfoOnMount: false --- @@ -817,7 +849,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/managed-by: kops app.kubernetes.io/name: aws-ebs-csi-driver - app.kubernetes.io/version: v1.8.0 + app.kubernetes.io/version: v1.12.0 k8s-addon: aws-ebs-csi-driver.addons.k8s.io name: ebs-csi-controller namespace: kube-system diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_object_minimal.example.com-addons-bootstrap_content index fd928ab012..62b37bf264 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_object_minimal.example.com-addons-bootstrap_content @@ -62,7 +62,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 44d1bdde6aead8f31385caa491f59079d6953b4cfcdb05781ce5f19e9652f0aa + manifestHash: d98496d48c370dfe2b031df2bf3609cb5ffc99a678618ea54b5b5138a387545c name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template b/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template index 0b8159a609..c561703ebb 100644 --- a/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template +++ b/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template @@ -283,12 +283,18 @@ spec: kubernetes.io/os: linux serviceAccountName: ebs-csi-node-sa priorityClassName: system-node-critical + securityContext: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 tolerations: - operator: Exists containers: - name: ebs-plugin securityContext: privileged: true + readOnlyRootFilesystem: true image: registry.k8s.io/provider-aws/aws-ebs-csi-driver:{{ .Version }} imagePullPolicy: IfNotPresent args: @@ -347,11 +353,17 @@ spec: mountPath: /csi - name: registration-dir mountPath: /registration + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false - name: liveness-probe - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent args: - --csi-address=/csi/csi.sock + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false volumeMounts: - name: plugin-dir mountPath: /csi @@ -442,6 +454,11 @@ spec: app: ebs-csi-controller app.kubernetes.io/name: aws-ebs-csi-driver app.kubernetes.io/instance: aws-ebs-csi-driver + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 serviceAccountName: ebs-csi-controller-sa priorityClassName: system-cluster-critical nodeSelector: null @@ -459,6 +476,7 @@ spec: - --logtostderr - --k8s-tag-cluster-id={{ ClusterName }} - "--extra-tags={{ CloudLabels }}" + - --http-endpoint=0.0.0.0:3301 - --v=5 env: {{- if IsIPv6Only }} @@ -491,6 +509,9 @@ spec: - name: healthz containerPort: 9808 protocol: TCP + - name: metrics + containerPort: 3301 + protocol: TCP livenessProbe: httpGet: path: /healthz @@ -507,6 +528,9 @@ spec: timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false - name: csi-provisioner image: registry.k8s.io/sig-storage/csi-provisioner:v3.1.0 imagePullPolicy: IfNotPresent @@ -523,6 +547,9 @@ spec: volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false - name: csi-attacher image: registry.k8s.io/sig-storage/csi-attacher:v3.4.0 imagePullPolicy: IfNotPresent @@ -536,6 +563,9 @@ spec: volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false {{ if HasSnapshotController }} - name: csi-snapshotter image: registry.k8s.io/sig-storage/csi-snapshotter:v6.0.1 @@ -549,6 +579,9 @@ spec: volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false {{ end }} - name: csi-resizer image: registry.k8s.io/sig-storage/csi-resizer:v1.4.0 @@ -562,8 +595,11 @@ spec: volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false - name: liveness-probe - image: registry.k8s.io/sig-storage/livenessprobe:v2.5.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.6.0 imagePullPolicy: IfNotPresent args: - --csi-address=/csi/csi.sock @@ -586,6 +622,7 @@ metadata: spec: attachRequired: true podInfoOnMount: false + fsGroupPolicy: File --- {{ if IsKubernetesGTE "1.23" }} apiVersion: policy/v1 diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml index 5e44ff62ab..535f11adf1 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml @@ -55,7 +55,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 7d5c47010ea2aa26cdc658167a360a26c60643e5c096acfa0efdcb26c2c736dc + manifestHash: ba7158ec0cc65552611b73242fe9a7dd1aecd4c7f167485cd536698f49455c15 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml index af2c3cece8..f733feef4b 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml @@ -56,7 +56,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 7d5c47010ea2aa26cdc658167a360a26c60643e5c096acfa0efdcb26c2c736dc + manifestHash: ba7158ec0cc65552611b73242fe9a7dd1aecd4c7f167485cd536698f49455c15 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.19/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.19/manifest.yaml index 9dd66adaab..41a4302d5a 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.19/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.19/manifest.yaml @@ -63,7 +63,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 7d5c47010ea2aa26cdc658167a360a26c60643e5c096acfa0efdcb26c2c736dc + manifestHash: ba7158ec0cc65552611b73242fe9a7dd1aecd4c7f167485cd536698f49455c15 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.19/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.19/manifest.yaml index 3437d90717..784a335957 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.19/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.19/manifest.yaml @@ -70,7 +70,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 7d5c47010ea2aa26cdc658167a360a26c60643e5c096acfa0efdcb26c2c736dc + manifestHash: ba7158ec0cc65552611b73242fe9a7dd1aecd4c7f167485cd536698f49455c15 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/service-account-iam/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/service-account-iam/manifest.yaml index a1e82a3768..13f4358ee7 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/service-account-iam/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/service-account-iam/manifest.yaml @@ -48,7 +48,7 @@ spec: version: 9.99.0 - id: k8s-1.17 manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 0610d7f75a347d0f838e5fb4171832563bafb67e5529df236bae29fc9dccfdd5 + manifestHash: 07673c0be4a4eb62cff124e75750b7e91ca29f644c3a4db5bfb40677a4c34f60 name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io