Sync to "upstream/master" to fix CVE-2023-39325/CVE-2023-3978

- Sync's to "upstream/master" to fix (golang.org/x/net) CVE-2023-39325/CVE-2023-3978
avoltz · Oct 23, 2023 · 45dd0ab · mkandawires · Oct 24, 2023 · 45dd0ab
1 parent 8cd3840
commit 45dd0ab
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 53 deletions.
diff --git a/charts/latest/blob-csi-driver/templates/NOTES.txt b/charts/latest/blob-csi-driver/templates/NOTES.txt
@@ -2,4 +2,4 @@ The Azure Blob Storage CSI driver is getting deployed to your cluster.
 
 To check Azure Blob Storage CSI driver pods status, please run:
 
-  kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch
+  kubectl --namespace={{ .Release.Namespace }} get pods --selector="release={{ .Release.Name }}" --watch
diff --git a/charts/latest/blob-csi-driver/templates/csi-blob-controller.yaml b/charts/latest/blob-csi-driver/templates/csi-blob-controller.yaml
@@ -70,11 +70,10 @@ spec:
             - "--csi-address=$(ADDRESS)"
             - "--leader-election"
             - "--leader-election-namespace={{ .Release.Namespace }}"
-            - "--timeout=1200s"
+            - "--timeout=120s"
             - "--extra-create-metadata=true"
             - "--kube-api-qps=50"
             - "--kube-api-burst=100"
-            - "--feature-gates=HonorPVReclaimPolicy=true"
           env:
             - name: ADDRESS
               value: /csi/csi.sock

diff --git a/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml b/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml
@@ -35,9 +35,9 @@ spec:
       imagePullSecrets:
 {{ toYaml .Values.imagePullSecrets | indent 8 }}
       {{- end }}
-      {{- if or .Values.node.enableBlobfuseProxy .Values.node.enableAznfsMount }}
+{{- if .Values.node.enableBlobfuseProxy }}
       hostPID: true
-      {{- end }}
+{{- end }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
       serviceAccountName: {{ .Values.serviceAccount.node }}
@@ -172,8 +172,6 @@ spec:
             - "--append-timestamp-cache-dir={{ .Values.node.appendTimeStampInCacheDir }}"
             - "--mount-permissions={{ .Values.node.mountPermissions }}"
             - "--allow-inline-volume-key-access-with-idenitity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}"
-            - "--enable-aznfs-mount={{ .Values.node.enableAznfsMount }}"
-            - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}"
           ports:
             - containerPort: {{ .Values.node.livenessProbe.healthPort }}
               name: healthz
@@ -246,31 +244,7 @@ spec:
               mountPath: /etc/pki/ca-trust/extracted
               readOnly: true
             {{- end }}
-            {{- if .Values.node.enableAznfsMount }}
-            - mountPath: /opt/microsoft/aznfs/data
-              name: aznfs-data
-            {{- end }}
           resources: {{- toYaml .Values.node.resources.blob | nindent 12 }}
-{{- if .Values.node.enableAznfsMount }}
-        - name: aznfswatchdog
-{{- if hasPrefix "/" .Values.image.blob.repository }}
-          image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
-{{- else }}
-          image: "{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
-{{- end }}
-          command:
-            - "aznfswatchdog"
-          imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
-          securityContext:
-            privileged: true
-          resources: {{- toYaml .Values.node.resources.aznfswatchdog | nindent 12 }}
-          volumeMounts:
-            - mountPath: /opt/microsoft/aznfs/data
-              name: aznfs-data
-            - mountPath: {{ .Values.linux.kubelet }}/
-              mountPropagation: Bidirectional
-              name: mountpoint-dir
-{{- end }}
       volumes:
 {{- if .Values.node.enableBlobfuseProxy }}
         - name: host-usr
@@ -312,12 +286,6 @@ spec:
           hostPath:
             path: /etc/pki/ca-trust/extracted
         {{- end }}
-        {{- if .Values.node.enableAznfsMount }}
-        - hostPath:
-            path: /opt/microsoft/aznfs/data
-            type: DirectoryOrCreate
-          name: aznfs-data
-        {{- end }}
       {{- if .Values.securityContext }}
       securityContext: {{- toYaml .Values.securityContext | nindent 8 }}
       {{- end }}
diff --git a/charts/latest/blob-csi-driver/values.yaml b/charts/latest/blob-csi-driver/values.yaml
@@ -6,19 +6,19 @@ image:
     pullPolicy: IfNotPresent
   csiProvisioner:
     repository: /oss/kubernetes-csi/csi-provisioner
-    tag: v3.6.1
+    tag: v3.5.0
     pullPolicy: IfNotPresent
   livenessProbe:
     repository: /oss/kubernetes-csi/livenessprobe
-    tag: v2.11.0
+    tag: v2.10.0
     pullPolicy: IfNotPresent
   nodeDriverRegistrar:
     repository: /oss/kubernetes-csi/csi-node-driver-registrar
-    tag: v2.9.0
+    tag: v2.8.0
     pullPolicy: IfNotPresent
   csiResizer:
     repository: /oss/kubernetes-csi/csi-resizer
-    tag: v1.9.1
+    tag: v1.8.0
     pullPolicy: IfNotPresent
 
 cloud: AzurePublicCloud
@@ -111,7 +111,6 @@ node:
   allowEmptyCloudConfig: true
   allowInlineVolumeKeyAccessWithIdentity: false
   maxUnavailable: 1
-  metricsPort: 29635
   livenessProbe:
     healthPort: 29633
   logLevel: 5
@@ -120,7 +119,7 @@ node:
     installBlobfuse: true
     blobfuseVersion: "1.4.5"
     installBlobfuse2: true
-    blobfuse2Version: "2.1.0"
+    blobfuse2Version: "2.0.3"
     setMaxOpenFileNum: true
     maxOpenFileNum: "9000000"
     disableUpdateDB: true
@@ -146,17 +145,10 @@ node:
       requests:
         cpu: 10m
         memory: 20Mi
-    aznfswatchdog:
-      limits:
-        memory: 100Mi
-      requests:
-        cpu: 10m
-        memory: 20Mi
   affinity: {}
   nodeSelector: {}
   tolerations:
     - operator: "Exists"
-  enableAznfsMount: true
 
 feature:
   fsGroupPolicy: ReadWriteOnceWithFSType

diff --git a/pkg/blob/blob_test.go b/pkg/blob/blob_test.go
@@ -579,7 +579,7 @@ func TestGetAuthEnv(t *testing.T) {
 					Keys: &accountkeylist,
 				}
 				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(list, nil).AnyTimes()
-				_, _, _, _, _, err := d.GetAuthEnv(context.TODO(), volumeID, "", attrib, secret)
+				_, _, _, _, _, _, _, err := d.GetAuthEnv(context.TODO(), volumeID, "", attrib, secret)
 				expectedErr := fmt.Errorf("invalid getlatestaccountkey: %s in volume context", "invalid")
 				if !reflect.DeepEqual(err, expectedErr) {
 					t.Errorf("actualErr: (%v), expectedErr: (%v)", err, expectedErr)

diff --git a/pkg/blobplugin/Dockerfile b/pkg/blobplugin/Dockerfile
@@ -28,8 +28,8 @@ RUN chmod +x /blobfuse-proxy/init.sh && \
  chmod +x /blobfuse-proxy/blobfuse-proxy.service && \
  chmod +x /blobfuse-proxy/blobfuse-proxy
 
-# Temporarily adding "curl" update: Fix for CVE-2023-38545/CVE-2023-38546.
-# To be removed when base CBL-Mariner is updated.
+# Currently no CBL-Mariner image with fix for "curl" CVE-2023-38545/CVE-2023-38546.
+# So, temporarily do update here. Remove "curl" when image is updated.
 RUN tdnf updateinfo && \
     tdnf install -y util-linux e2fsprogs nfs-utils quota-rpc rpcbind blobfuse2 fuse3 libcap-ng libcap ca-certificates curl && \
     tdnf clean all