From c0c7c2c9ebcd24fa3cda9c1af49a8f5e178512d8 Mon Sep 17 00:00:00 2001 From: Abhijeet Rokade Date: Wed, 18 Sep 2024 14:02:35 +0000 Subject: [PATCH] PWX-37783, PWX-37782, PWX-37780, PWX-37779, PWX-37778: Update CSI images to fix CVE-2024-24790 vulnerability - Updated csi-provisioner image from v3.6.1 to v5.1.0 - Updated csi-snapshotter image from v8.0.1 to v8.1.0 - Updated snapshot-controller image from v6.3.1 to v8.1.0 - Updated csi-resizer image from v1.9.1 to v1.12.0 - Updated csi-node-driver-registrar image from v2.9.0 to v2.12.0 These updates address the CVE-2024-24790 vulnerability in the stdlib package. --- drivers/storage/portworx/component/csi.go | 5 +++ .../storage/portworx/util/csi_generator.go | 10 ++--- .../portworx/util/csi_generator_test.go | 44 +++++++++---------- .../daemonset-with-all-components.yaml | 18 ++++---- 4 files changed, 42 insertions(+), 35 deletions(-) diff --git a/drivers/storage/portworx/component/csi.go b/drivers/storage/portworx/component/csi.go index dcbd8d13a6..283bcc14f8 100644 --- a/drivers/storage/portworx/component/csi.go +++ b/drivers/storage/portworx/component/csi.go @@ -629,8 +629,13 @@ func getCSIDeploymentSpec( } } + // For external provisioner images with a major version >= 5, + // the Topology Feature Gate is enabled by default. Override this if + // CSI topology is explicitly enabled or not in the cluster spec. if cluster.Spec.CSI.Topology != nil && cluster.Spec.CSI.Topology.Enabled { args = append(args, "--feature-gates=Topology=true") + } else if util.GetImageMajorVersion(provisionerImage) >= 5 { + args = append(args, "--feature-gates=Topology=false") } sc := &v1.SecurityContext{ diff --git a/drivers/storage/portworx/util/csi_generator.go b/drivers/storage/portworx/util/csi_generator.go index 006c9e349c..b9e1511caf 100644 --- a/drivers/storage/portworx/util/csi_generator.go +++ b/drivers/storage/portworx/util/csi_generator.go @@ -256,9 +256,9 @@ func (c *CSIConfiguration) DriverBasePath() string { } func (g *CSIGenerator) getSidecarContainerVersionsV1_0() *CSIImages { - provisionerImage := k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-provisioner:v3.5.0" - snapshotterImage := k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-snapshotter:v6.2.2" - snapshotControllerImage := k8sutil.DefaultK8SRegistryPath + "/sig-storage/snapshot-controller:v6.2.2" + provisionerImage := k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-provisioner:v5.1.0" + snapshotterImage := k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-snapshotter:v8.1.0" + snapshotControllerImage := k8sutil.DefaultK8SRegistryPath + "/sig-storage/snapshot-controller:v8.1.0" // Provisioner fork can only be removed in PX 2.13 and later. if g.pxVersion.LessThan(pxVer2_13) { @@ -280,10 +280,10 @@ func (g *CSIGenerator) getSidecarContainerVersionsV1_0() *CSIImages { return &CSIImages{ Attacher: "docker.io/openstorage/csi-attacher:v1.2.1-1", - NodeRegistrar: k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-node-driver-registrar:v2.8.0", + NodeRegistrar: k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-node-driver-registrar:v2.12.0", Provisioner: provisionerImage, Snapshotter: snapshotterImage, - Resizer: k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-resizer:v1.8.0", + Resizer: k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-resizer:v1.12.0", SnapshotController: snapshotControllerImage, HealthMonitorController: k8sutil.DefaultK8SRegistryPath + "/sig-storage/csi-external-health-monitor-controller:v0.7.0", LivenessProbe: "docker.io/portworx/livenessprobe:v2.10.0-windows", diff --git a/drivers/storage/portworx/util/csi_generator_test.go b/drivers/storage/portworx/util/csi_generator_test.go index bb7f0f4f76..3090926095 100644 --- a/drivers/storage/portworx/util/csi_generator_test.go +++ b/drivers/storage/portworx/util/csi_generator_test.go @@ -19,67 +19,67 @@ func TestCSIImages(t *testing.T) { gen = NewCSIGenerator(*k8sVersion, version.Version{}, false, false, "", false) images = gen.GetCSIImages() require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher) - require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar) + require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar) require.Equal(t, "docker.io/openstorage/csi-provisioner:v1.6.1-1", images.Provisioner) require.Equal(t, "quay.io/openstorage/csi-snapshotter:v1.2.2-1", images.Snapshotter) - require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer) + require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer) k8sVersion, _ = version.NewSemver("1.14.5") gen = NewCSIGenerator(*k8sVersion, version.Version{}, false, false, "", false) images = gen.GetCSIImages() require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher) - require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar) + require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar) require.Equal(t, "docker.io/openstorage/csi-provisioner:v1.6.1-1", images.Provisioner) require.Equal(t, "docker.io/openstorage/csi-snapshotter:v1.2.2-1", images.Snapshotter) - require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer) + require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer) k8sVersion, _ = version.NewSemver("1.18.5") gen = NewCSIGenerator(*k8sVersion, version.Version{}, false, false, "", false) images = gen.GetCSIImages() require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher) - require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar) + require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar) require.Equal(t, "docker.io/openstorage/csi-provisioner:v2.2.2-1", images.Provisioner) require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v3.0.3", images.Snapshotter) - require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer) + require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer) k8sVersion, _ = version.NewSemver("1.20.4") gen = NewCSIGenerator(*k8sVersion, version.Version{}, false, false, "", false) images = gen.GetCSIImages() require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher) - require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar) + require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar) require.Equal(t, "docker.io/openstorage/csi-provisioner:v3.2.1-1", images.Provisioner) - require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2", images.Snapshotter) - require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer) + require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0", images.Snapshotter) + require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer) k8sVersion, _ = version.NewSemver("1.20.4") gen = NewCSIGenerator(*k8sVersion, version.Version{}, false, false, "", true) images = gen.GetCSIImages() require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher) - require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar) + require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar) require.Equal(t, "docker.io/openstorage/csi-provisioner:v3.2.1-1", images.Provisioner) - require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2", images.Snapshotter) - require.Equal(t, "registry.k8s.io/sig-storage/snapshot-controller:v6.2.2", images.SnapshotController) - require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer) + require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0", images.Snapshotter) + require.Equal(t, "registry.k8s.io/sig-storage/snapshot-controller:v8.1.0", images.SnapshotController) + require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer) k8sVersion, _ = version.NewSemver("1.23.4") gen = NewCSIGenerator(*k8sVersion, *pxVer2_10, false, false, "", true) images = gen.GetCSIImages() require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher) - require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar) + require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar) require.Equal(t, "docker.io/openstorage/csi-provisioner:v3.2.1-1", images.Provisioner) - require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2", images.Snapshotter) - require.Equal(t, "registry.k8s.io/sig-storage/snapshot-controller:v6.2.2", images.SnapshotController) - require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer) + require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0", images.Snapshotter) + require.Equal(t, "registry.k8s.io/sig-storage/snapshot-controller:v8.1.0", images.SnapshotController) + require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer) require.Equal(t, "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.7.0", images.HealthMonitorController) k8sVersion, _ = version.NewSemver("1.23.4") gen = NewCSIGenerator(*k8sVersion, *pxVer2_13, false, false, "", true) images = gen.GetCSIImages() require.Equal(t, "docker.io/openstorage/csi-attacher:v1.2.1-1", images.Attacher) - require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0", images.NodeRegistrar) - require.Equal(t, "registry.k8s.io/sig-storage/csi-provisioner:v3.5.0", images.Provisioner) - require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2", images.Snapshotter) - require.Equal(t, "registry.k8s.io/sig-storage/snapshot-controller:v6.2.2", images.SnapshotController) - require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.8.0", images.Resizer) + require.Equal(t, "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0", images.NodeRegistrar) + require.Equal(t, "registry.k8s.io/sig-storage/csi-provisioner:v5.1.0", images.Provisioner) + require.Equal(t, "registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0", images.Snapshotter) + require.Equal(t, "registry.k8s.io/sig-storage/snapshot-controller:v8.1.0", images.SnapshotController) + require.Equal(t, "registry.k8s.io/sig-storage/csi-resizer:v1.12.0", images.Resizer) require.Equal(t, "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.7.0", images.HealthMonitorController) } diff --git a/test/integration_test/testspec/migration/daemonset-with-all-components.yaml b/test/integration_test/testspec/migration/daemonset-with-all-components.yaml index 09bfe2881c..fa2140748e 100644 --- a/test/integration_test/testspec/migration/daemonset-with-all-components.yaml +++ b/test/integration_test/testspec/migration/daemonset-with-all-components.yaml @@ -132,7 +132,7 @@ spec: - name: dbusmount mountPath: /var/run/dbus - name: csi-node-driver-registrar - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0 + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 imagePullPolicy: Always args: - "--v=5" @@ -317,14 +317,16 @@ spec: serviceAccount: px-csi-account containers: - name: csi-external-provisioner - image: docker.io/openstorage/csi-provisioner:v1.6.1-1 + image: registry.k8s.io/sig-storage/csi-provisioner:v5.1.0 imagePullPolicy: Always args: - "--v=3" - - "--provisioner=pxd.portworx.com" - "--csi-address=$(ADDRESS)" - - "--enable-leader-election" - - "--leader-election-type=leases" + - "--leader-election=true" + - "--default-fstype=ext4" + - "--extra-create-metadata=true" + - "--timeout=5m" + - "--feature-gates=Topology=false" env: - name: ADDRESS value: /csi/csi.sock @@ -334,7 +336,7 @@ spec: - name: socket-dir mountPath: /csi - name: csi-snapshotter - image: registry.k8s.io/sig-storage/csi-snapshotter:v4.0.0 + image: registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0 imagePullPolicy: Always args: - "--v=3" @@ -349,7 +351,7 @@ spec: - name: socket-dir mountPath: /csi - name: csi-snapshot-controller - image: registry.k8s.io/sig-storage/snapshot-controller:v4.0.0 + image: registry.k8s.io/sig-storage/snapshot-controller:v8.1.0 imagePullPolicy: Always args: - "--v=3" @@ -363,7 +365,7 @@ spec: - name: socket-dir mountPath: /csi - name: csi-resizer - image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0 + image: registry.k8s.io/sig-storage/csi-resizer:v1.12.0 imagePullPolicy: Always args: - "--v=3"