remove secret exposure to external-snapshotter, release new helm char…

…t and complete changelogs
kubernetes-sigs · Feb 17, 2022 · 9e67394 · 9e67394
1 parent 08c7d7d
commit 9e67394
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 5 deletions.
diff --git a/CHANGELOG-0.x.md b/CHANGELOG-0.x.md
@@ -1,6 +1,6 @@
 # v1.5.1
 ## Notable changes
-* Address CVE ALAS-2021-1552
+* Address CVE ALAS-2021-1552, ALAS2-2022-1736, ALAS2-2022-1738, ALAS2-2022-1743
 
 # v1.5.0
 ### Misc.

diff --git a/charts/aws-ebs-csi-driver/CHANGELOG.md b/charts/aws-ebs-csi-driver/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Helm chart
 
+## v2.6.4
+
+* Remove exposure all secrets to external-snapshotter-role
+
 ## v2.6.3
 
 * Bump app/driver to version `v1.5.1`

diff --git a/charts/aws-ebs-csi-driver/Chart.yaml b/charts/aws-ebs-csi-driver/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 1.5.1
 name: aws-ebs-csi-driver
 description: A Helm chart for AWS EBS CSI Driver
-version: 2.6.3
+version: 2.6.4
 kubeVersion: ">=1.17.0-0"
 home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
 sources:

diff --git a/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml b/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml
@@ -9,9 +9,13 @@ rules:
   - apiGroups: [ "" ]
     resources: [ "events" ]
     verbs: [ "list", "watch", "create", "update", "patch" ]
-  - apiGroups: [ "" ]
-    resources: [ "secrets" ]
-    verbs: [ "get", "list" ]
+  # Secret permission is optional.
+  # Enable it if your driver needs secret.
+  # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass.
+  # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details.
+  # - apiGroups: [ "" ]
+  #   resources: [ "secrets" ]
+  #   verbs: [ "get", "list" ]
   - apiGroups: [ "snapshot.storage.k8s.io" ]
     resources: [ "volumesnapshotclasses" ]
     verbs: [ "get", "list", "watch" ]