Merge pull request kubernetes-sigs#65 from RomanBednar/rebase-v1.7.3

STOR-1577: Rebase to v1.7.3 for OCP 4.16

CHANGELOG-1.x.md

@@ -1,3 +1,20 @@
+# V1.7.3
+* Edit file paths in provisioning.go to fix failing e2e test. ([#1223](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1223) [@seanzatzdev-amazon](https://github.com/seanzatzdev-amazon))
+* CVE-2023-48795: bump golang.org/x/crypto to v0.17.0. ([#1222](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1222), [@dobsonj](https://github.com/dobsonj))
+* set results count for listing access points. ([#1217](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1217), [@RomanBednar](https://github.com/RomanBednar))
+* Reduce calls to EFS API. ([#1226](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1226), [@otorreno](https://github.com/otorreno))
+# V1.7.2
+* Fixed the GID allocator work with the cross account feature. ([#1199](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1199), [@RomanBednar](https://github.com/RomanBednar))
+* Added Startup Taint Removal Feature to alleviate potential race conditions. ([#1197](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1197), [@mskanth972](https://github.com/mskanth972))
+* Updated the apiversion in StaticProvisioning storageclass.yaml example file. ([#1193](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1193), [@Rajit11](https://github.com/Rajit11))
+* README Update: Update Static Provisioning README.md on mounttargetip option. ([#1192](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1192), [@seanzatzdev-amazon](https://github.com/seanzatzdev-amazon))
+* Updated the GID allocator to allocate GIDs in increasing order. ([#1182](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1182), [@RomanBednar](https://github.com/RomanBednar))
+* Updated the sidecar tags to the latest. ([#1161](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1161), [@mskanth972](https://github.com/mskanth972))
+# V1.7.1
+* Fixed Posixuser nil pointer dereference issue. ([#1180](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1180), [@mskanth972](https://github.com/mskanth972))
+* Fixed CVE-2023-45142: bump k8s and opentelemetry. ([#1176](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1176), [@jsafrane](https://github.com/jsafrane))
+* README Update: Fix typo in installation with public manifest. ([#1168](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1168), [@ysam12345](https://github.com/ysam12345))
+* README Update: Updating README for 'noresvport' mount option. ([#1158](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1158), [@mskanth972](https://github.com/mskanth972))
 # V1.7.0
 * Added Storage Class features to allow more control of the directory structure of Access Points under Dynamic Provisioning. ([#640](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/640), [@jonathanrainer](https://github.com/jonathanrainer))
 * Added Storage Class feature to allow access points to be replicated across different clusters. ([#1026](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1026), [@mskanth972](https://github.com/mskanth972))
@@ -14,7 +31,7 @@
 # V1.6.0
 * Bump golang.org/x/net/html to fix CVE-2023-3978. ([#1089](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1089), [@jsafrane](https://github.com/jsafrane))
 * Set efs-plugin container security context to `true` which can solve the deleteAccessPointRootDir issues. ([#1096](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1096),
-[@seanzatzdev-amazon](https://github.com/seanzatzdev-amazon))
+  [@seanzatzdev-amazon](https://github.com/seanzatzdev-amazon))
 * Updated all the necessary components to enable running kOps / EKS e2e CI jobs in the latest version of K8s without `hostNetwork: true`. ([#1088](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1088), [@torredil](https://github.com/torredil))
 # V1.5.9
 * Addressed CVEs (CVE-2023-2602, CVE-2019-15167, CVE-2-23-2431, CVE-2023-2727).
@@ -60,9 +77,10 @@
 * Fixed-AWS EFS CSI Driver crashes if Access Point creation fails and static GID set
 * Update efs-csi-driver to use efs-utils latest release v1.34.5 which Handle invalid mount point name, Avoid redundant get_target_region call, Update man page and Watchdog detect empty private key and regenerate
 # V1.4.8
-* Update efs-csi-driver to use efs-utils latest release v1.34.4 and include stunnel fix ([#125](https://github.com/aws/efs-utils/issues/125))
+* Use efs-utils version v1.34.4 for stunnel fix ([#125](https://github.com/aws/efs-utils/issues/125)
 # V1.4.7
-* Update the efs-utils to v1.34.3 to reduce possibility of multiple mounts starting from same port range
+* Update the efs-utils to v1.34.3 to reduce possibility of multiple mounts starting from same port range.
+* Added following permissions to the policy json at https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/examples/kubernetes/cross_account_mount/iam-policy-examples/describe-mount-target-example.json
 # V1.4.6
 * Update efs-utils to stunnel5.
 # V1.4.5

Dockerfile.openshift

@@ -15,4 +15,4 @@ FROM registry.ci.openshift.org/ocp/4.16:aws-efs-utils-base
 RUN mv /etc/amazon/efs /etc/amazon/efs-static-files
 
 COPY --from=builder /go/src/github.com/kubernetes-sigs/aws-efs-csi-driver/bin/aws-efs-csi-driver /usr/bin/
-ENTRYPOINT ["/usr/bin/aws-efs-csi-driver"]
+ENTRYPOINT ["/usr/bin/aws-efs-csi-driver"]

Makefile

@@ -13,7 +13,7 @@
 # limitations under the License.
 #
 
-VERSION=v1.7.0
+VERSION=v1.7.3
 
 PKG=github.com/kubernetes-sigs/aws-efs-csi-driver
 GIT_COMMIT?=$(shell git rev-parse HEAD)

charts/aws-efs-csi-driver/CHANGELOG.md

@@ -1,4 +1,10 @@
 # Helm chart
+# v2.5.2
+* Bump app/driver version to `v1.7.2`
+# v2.5.1
+* Bump app/driver version to `v1.7.1`
+# v2.5.0
+* Bump app/driver version to `v1.7.0`
 # v2.4.9
 * Bump app/driver version to `v1.6.0`
 # v2.4.8
@@ -11,9 +17,9 @@
 * Bump helm version for change of state-dir path to avoid losing track of state files which exists already to `v2.4.5`
 # v2.4.4
 * Bump helm version to pick the latest side-car images `v2.4.4`
-# v2.4.3
+# V2.4.3
 * Bump app/driver version to `v1.5.6`
-# v2.4.2
+# V2.4.2
 * Bump app/driver version to `v1.5.5` 
 # v2.4.1
 * Bump app/driver version to `v1.5.4`

charts/aws-efs-csi-driver/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: aws-efs-csi-driver
-version: 2.4.9
-appVersion: 1.6.0
+version: 2.5.2
+appVersion: 1.7.2
 kubeVersion: ">=1.17.0-0"
 description: "A Helm chart for AWS EFS CSI Driver"
 home: https://github.com/kubernetes-sigs/aws-efs-csi-driver

charts/aws-efs-csi-driver/templates/controller-deployment.yaml

@@ -61,6 +61,7 @@ spec:
             {{- end }}
             - --v={{ .Values.controller.logLevel }}
             - --delete-access-point-root-dir={{ hasKey .Values.controller "deleteAccessPointRootDir" | ternary .Values.controller.deleteAccessPointRootDir false }}
+            - --vol-metrics-opt-in={{ hasKey .Values.controller "volMetricsOptIn" | ternary .Values.controller.volMetricsOptIn false }}
           env:
             - name: CSI_ENDPOINT
               value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock

charts/aws-efs-csi-driver/templates/node-serviceaccount.yaml

@@ -20,7 +20,7 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["nodes"]
-    verbs: ["get", "list", "watch"]
+    verbs: ["get", "list", "watch", "patch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

charts/aws-efs-csi-driver/values.yaml

@@ -11,14 +11,14 @@ useFIPS: false
 
 image:
   repository: amazon/aws-efs-csi-driver
-  tag: "v1.6.0"
+  tag: "v1.7.2"
   pullPolicy: IfNotPresent
 
 sidecars:
   livenessProbe:
     image:
       repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
-      tag: v2.10.0-eks-1-27-3
+      tag: v2.10.0-eks-1-28-4
       pullPolicy: IfNotPresent
     resources: {}
     securityContext:
@@ -27,7 +27,7 @@ sidecars:
   nodeDriverRegistrar:
     image:
       repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
-      tag: v2.8.0-eks-1-27-3
+      tag: v2.8.0-eks-1-28-4
       pullPolicy: IfNotPresent
     resources: {}
     securityContext:
@@ -36,7 +36,7 @@ sidecars:
   csiProvisioner:
     image:
       repository: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
-      tag: v3.5.0-eks-1-27-3
+      tag: v3.5.0-eks-1-28-4
       pullPolicy: IfNotPresent
     resources: {}
     securityContext:
@@ -62,6 +62,7 @@ controller:
   # Enable if you want the controller to also delete the
   # path on efs when deleteing an access point
   deleteAccessPointRootDir: false
+  volMetricsOptIn: false
   podAnnotations: {}
   resources:
     {}
@@ -77,7 +78,11 @@ controller:
     #   memory: 128Mi
   nodeSelector: {}
   updateStrategy: {}
-  tolerations: []
+  tolerations:
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - key: efs.csi.aws.com/agent-not-ready
+      operator: Exists
   affinity: {}
   # Specifies whether a service account should be created
   serviceAccount:
@@ -101,9 +106,6 @@ controller:
 node:
   # Number for the log level verbosity
   logLevel: 2
-  volMetricsOptIn: false
-  volMetricsRefreshPeriod: 240
-  volMetricsFsRateLimit: 5
   hostAliases:
     {}
     # For cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per
@@ -138,15 +140,6 @@ node:
     # type: OnDelete
   tolerations:
     - operator: Exists
-  affinity:
-    nodeAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-        nodeSelectorTerms:
-          - matchExpressions:
-              - key: eks.amazonaws.com/compute-type
-                operator: NotIn
-                values:
-                  - fargate
   # Specifies whether a service account should be created
   serviceAccount:
     create: true

deploy/kubernetes/base/controller-deployment.yaml

@@ -34,7 +34,7 @@ spec:
         - name: efs-plugin
           securityContext:
             privileged: true
-          image: amazon/aws-efs-csi-driver:v1.6.0
+          image: amazon/aws-efs-csi-driver:v1.7.2
           imagePullPolicy: IfNotPresent
           args:
             - --endpoint=$(CSI_ENDPOINT)
@@ -64,7 +64,7 @@ spec:
             periodSeconds: 10
             failureThreshold: 5
         - name: csi-provisioner
-          image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v3.5.0-eks-1-27-3
+          image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v3.5.0-eks-1-28-4
           imagePullPolicy: IfNotPresent
           args:
             - --csi-address=$(ADDRESS)
@@ -82,7 +82,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: liveness-probe
-          image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.10.0-eks-1-27-3
+          image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.10.0-eks-1-28-4
           imagePullPolicy: IfNotPresent
           args:
             - --csi-address=/csi/csi.sock

deploy/kubernetes/base/node-daemonset.yaml

@@ -37,6 +37,8 @@ spec:
       priorityClassName: system-node-critical
       tolerations:
         - operator: Exists
+        - key: efs.csi.aws.com/agent-not-ready
+          operator: Exists
       securityContext:
         fsGroup: 0
         runAsGroup: 0
@@ -46,7 +48,7 @@ spec:
         - name: efs-plugin
           securityContext:
             privileged: true
-          image: amazon/aws-efs-csi-driver:v1.6.0
+          image: amazon/aws-efs-csi-driver:v1.7.2
           imagePullPolicy: IfNotPresent
           args:
             - --endpoint=$(CSI_ENDPOINT)
@@ -87,7 +89,7 @@ spec:
             periodSeconds: 2
             failureThreshold: 5
         - name: csi-driver-registrar
-          image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar:v2.8.0-eks-1-27-3
+          image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar:v2.8.0-eks-1-28-4
           imagePullPolicy: IfNotPresent
           args:
             - --csi-address=$(ADDRESS)
@@ -111,7 +113,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: liveness-probe
-          image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.10.0-eks-1-27-3
+          image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.10.0-eks-1-28-4
           imagePullPolicy: IfNotPresent
           args:
             - --csi-address=/csi/csi.sock

deploy/kubernetes/base/node-serviceaccount.yaml

@@ -16,7 +16,7 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["nodes"]
-    verbs: ["get", "list", "watch"]
+    verbs: ["get", "list", "watch", "patch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

deploy/kubernetes/overlays/stable/ecr/kustomization.yaml

@@ -5,13 +5,13 @@ bases:
 images:
   - name: amazon/aws-efs-csi-driver
     newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efs-csi-driver
-    newTag: v1.6.0
+    newTag: v1.7.2
   - name: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
     newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/livenessprobe
-    newTag: v2.10.0-eks-1-27-3
+    newTag: v2.10.0-eks-1-28-4
   - name: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
     newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/csi-node-driver-registrar
-    newTag: v2.8.0-eks-1-27-3
+    newTag: v2.8.0-eks-1-28-4
   - name: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
     newName: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/csi-provisioner
-    newTag: v3.5.0-eks-1-27-3
+    newTag: v3.5.0-eks-1-28-4

deploy/kubernetes/overlays/stable/kustomization.yaml

@@ -4,10 +4,10 @@ bases:
   - ../../base
 images:
   - name: amazon/aws-efs-csi-driver
-    newTag: v1.6.0
+    newTag: v1.7.2
   - name: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
-    newTag: v2.10.0-eks-1-27-3
+    newTag: v2.10.0-eks-1-28-4
   - name: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
-    newTag: v2.8.0-eks-1-27-3
+    newTag: v2.8.0-eks-1-28-4
   - name: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
-    newTag: v3.5.0-eks-1-27-3
+    newTag: v3.5.0-eks-1-28-4