PWX-37783, PWX-37782, PWX-37780, PWX-37779, PWX-37778: Update CSI ima…

…ges to fix CVE-2024-24790 vulnerability

- Updated csi-provisioner image from v3.6.1 to v5.1.0
- Updated csi-snapshotter image from v8.0.1 to v8.1.0
- Updated snapshot-controller image from v6.3.1 to v8.1.0
- Updated csi-resizer image from v1.9.1 to v1.12.0
- Updated csi-node-driver-registrar image from v2.9.0 to v2.12.0

These updates address the CVE-2024-24790 vulnerability in the stdlib package.

drivers/storage/portworx/component/csi.go

@@ -629,8 +629,13 @@ func getCSIDeploymentSpec(
  }
  }
 
+ // For external provisioner images with a major version >= 5,
+ // the Topology Feature Gate is enabled by default. Override this if
+ // CSI topology is explicitly enabled or not in the cluster spec.
  if cluster.Spec.CSI.Topology != nil && cluster.Spec.CSI.Topology.Enabled {
  args = append(args, "--feature-gates=Topology=true")
+ } else if util.GetImageMajorVersion(provisionerImage) >= 5 {
+ args = append(args, "--feature-gates=Topology=false")
  }
 
  sc := &v1.SecurityContext{

drivers/storage/portworx/util/csi_generator.go

@@ -256,9 +256,9 @@ func (c *CSIConfiguration) DriverBasePath() string {
 }
 
 func (g *CSIGenerator) getSidecarContainerVersionsV1_0() *CSIImages {
- provisionerImage := k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-provisioner:v3.5.0"
- snapshotterImage := k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-snapshotter:v6.2.2"
- snapshotControllerImage := k8sutil.DefaultK8SRegistryPath + "/sig-storage/snapshot-controller:v6.2.2"
+ provisionerImage := k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-provisioner:v5.1.0"
+ snapshotterImage := k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-snapshotter:v8.1.0"
+ snapshotControllerImage := k8sutil.DefaultK8SRegistryPath + "/sig-storage/snapshot-controller:v8.1.0"
 
  // Provisioner fork can only be removed in PX 2.13 and later.
  if g.pxVersion.LessThan(pxVer2_13) {
@@ -280,10 +280,10 @@ func (g *CSIGenerator) getSidecarContainerVersionsV1_0() *CSIImages {
 
  return &CSIImages{
  Attacher: "docker.io/openstorage/csi-attacher:v1.2.1-1",
- NodeRegistrar: k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-node-driver-registrar:v2.8.0",
+ NodeRegistrar: k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-node-driver-registrar:v2.12.0",
  Provisioner: provisionerImage,
  Snapshotter: snapshotterImage,
- Resizer: k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-resizer:v1.8.0",
+ Resizer: k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-resizer:v1.12.0",
  SnapshotController: snapshotControllerImage,
  HealthMonitorController: k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-external-health-monitor-controller:v0.7.0",
  LivenessProbe: "docker.io/portworx/livenessprobe:v2.10.0-windows",

drivers/storage/portworx/util/csi_generator_test.go

@@ -19,67 +19,67 @@ func TestCSIImages(t *testing.T) {
  gen = NewCSIGenerator(*k8sVersion, version.Version{}, false, false, "", false)
  images = gen.GetCSIImages()
  require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar)
  require.Equal(t, "docker.io/openstorage/csi-provisioner:v1.6.1-1", images.Provisioner)
  require.Equal(t, "quay.io/openstorage/csi-snapshotter:v1.2.2-1", images.Snapshotter)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer)
 
  k8sVersion, _ = version.NewSemver("1.14.5")
  gen = NewCSIGenerator(*k8sVersion, version.Version{}, false, false, "", false)
  images = gen.GetCSIImages()
  require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar)
  require.Equal(t, "docker.io/openstorage/csi-provisioner:v1.6.1-1", images.Provisioner)
  require.Equal(t, "docker.io/openstorage/csi-snapshotter:v1.2.2-1", images.Snapshotter)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer)
 
  k8sVersion, _ = version.NewSemver("1.18.5")
  gen = NewCSIGenerator(*k8sVersion, version.Version{}, false, false, "", false)
  images = gen.GetCSIImages()
  require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar)
  require.Equal(t, "docker.io/openstorage/csi-provisioner:v2.2.2-1", images.Provisioner)
  require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v3.0.3", images.Snapshotter)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer)
 
  k8sVersion, _ = version.NewSemver("1.20.4")
  gen = NewCSIGenerator(*k8sVersion, version.Version{}, false, false, "", false)
  images = gen.GetCSIImages()
  require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar)
  require.Equal(t, "docker.io/openstorage/csi-provisioner:v3.2.1-1", images.Provisioner)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2", images.Snapshotter)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0", images.Snapshotter)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer)
 
  k8sVersion, _ = version.NewSemver("1.20.4")
  gen = NewCSIGenerator(*k8sVersion, version.Version{}, false, false, "", true)
  images = gen.GetCSIImages()
  require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar)
  require.Equal(t, "docker.io/openstorage/csi-provisioner:v3.2.1-1", images.Provisioner)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2", images.Snapshotter)
- require.Equal(t, "registry.k8s.io/sig-storage/snapshot-controller:v6.2.2", images.SnapshotController)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0", images.Snapshotter)
+ require.Equal(t, "registry.k8s.io/sig-storage/snapshot-controller:v8.1.0", images.SnapshotController)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer)
 
  k8sVersion, _ = version.NewSemver("1.23.4")
  gen = NewCSIGenerator(*k8sVersion, *pxVer2_10, false, false, "", true)
  images = gen.GetCSIImages()
  require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar)
  require.Equal(t, "docker.io/openstorage/csi-provisioner:v3.2.1-1", images.Provisioner)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2", images.Snapshotter)
- require.Equal(t, "registry.k8s.io/sig-storage/snapshot-controller:v6.2.2", images.SnapshotController)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0", images.Snapshotter)
+ require.Equal(t, "registry.k8s.io/sig-storage/snapshot-controller:v8.1.0", images.SnapshotController)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer)
  require.Equal(t, "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.7.0", images.HealthMonitorController)
 
  k8sVersion, _ = version.NewSemver("1.23.4")
  gen = NewCSIGenerator(*k8sVersion, *pxVer2_13, false, false, "", true)
  images = gen.GetCSIImages()
  require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-provisioner:v3.5.0", images.Provisioner)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2", images.Snapshotter)
- require.Equal(t, "registry.k8s.io/sig-storage/snapshot-controller:v6.2.2", images.SnapshotController)
- require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-provisioner:v5.1.0", images.Provisioner)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0", images.Snapshotter)
+ require.Equal(t, "registry.k8s.io/sig-storage/snapshot-controller:v8.1.0", images.SnapshotController)
+ require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer)
  require.Equal(t, "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.7.0", images.HealthMonitorController)
 }

test/integration_test/testspec/migration/daemonset-with-all-components.yaml

@@ -132,7 +132,7 @@ spec:
  - name: dbusmount
  mountPath: /var/run/dbus
  - name: csi-node-driver-registrar
- image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0
+ image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0
  imagePullPolicy: Always
  args:
  - "--v=5"
@@ -317,14 +317,16 @@ spec:
  serviceAccount: px-csi-account
  containers:
  - name: csi-external-provisioner
- image: docker.io/openstorage/csi-provisioner:v1.6.1-1
+ image: registry.k8s.io/sig-storage/csi-provisioner:v5.1.0
  imagePullPolicy: Always
  args:
  - "--v=3"
- - "--provisioner=pxd.portworx.com"
  - "--csi-address=$(ADDRESS)"
- - "--enable-leader-election"
- - "--leader-election-type=leases"
+ - "--leader-election=true"
+ - "--default-fstype=ext4"
+ - "--extra-create-metadata=true"
+ - "--timeout=5m"
+ - "--feature-gates=Topology=false" 
  env:
  - name: ADDRESS
  value: /csi/csi.sock
@@ -334,7 +336,7 @@ spec:
  - name: socket-dir
  mountPath: /csi
  - name: csi-snapshotter
- image: registry.k8s.io/sig-storage/csi-snapshotter:v4.0.0
+ image: registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0
  imagePullPolicy: Always
  args:
  - "--v=3"
@@ -349,7 +351,7 @@ spec:
  - name: socket-dir
  mountPath: /csi
  - name: csi-snapshot-controller
- image: registry.k8s.io/sig-storage/snapshot-controller:v4.0.0
+ image: registry.k8s.io/sig-storage/snapshot-controller:v8.1.0
  imagePullPolicy: Always
  args:
  - "--v=3"
@@ -363,7 +365,7 @@ spec:
  - name: socket-dir
  mountPath: /csi
  - name: csi-resizer
- image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0
+ image: registry.k8s.io/sig-storage/csi-resizer:v1.12.0
  imagePullPolicy: Always
  args:
  - "--v=3"