Skip to content

STOR-2922: Rebase to upstream v1.20.1 for OCP 5.0#62

Open
dfajmon wants to merge 27 commits into
openshift:masterfrom
dfajmon:rebase-v1.20.1
Open

STOR-2922: Rebase to upstream v1.20.1 for OCP 5.0#62
dfajmon wants to merge 27 commits into
openshift:masterfrom
dfajmon:rebase-v1.20.1

Conversation

@dfajmon

@dfajmon dfajmon commented Jun 17, 2026

Copy link
Copy Markdown

STOR-2954: Rebase to upstream v1.20.1 for OCP 5.0

Issue link
https://redhat.atlassian.net/browse/STOR-2954

Diff to upstream v1.20.1
kubernetes-csi/csi-driver-smb@v1.20.1...dfajmon:rebase-v1.20.1

Notes for reviewers

Summary of changes

Notable Bug Fixes

  • fix: SmbGlobalMapping leak due to wrong driverGlobalMountPath on Windows (af3f476)

CVE Fixes

CVE-2026-24051

Cherry-picked commits

Commit Subject Author
2e329bec2 UPSTREAM: <carry>: Add OpenShift files Daniel Fajmon
8272127d0 UPSTREAM: <carry>: Updating ose-smb-csi-driver-container image to be consistent with ART for 4.22 AOS Automation Release Team
08dd9f000 UPSTREAM: 1103: Bump github.com/moby/spdystream to v0.5.1 Jaspreet Kaur
348d9abb4 UPSTREAM: <carry>: Updating ose-smb-csi-driver-container image to be consistent with ART for 5.0 AOS Automation Release Team

Upstream changelogs

Full changelog

kubernetes-csi/csi-driver-smb@v1.20.0...v1.20.1

Last rebase

#40

@openshift/storage

Summary by CodeRabbit

  • New Features

    • Added stronger validation for SMB volume paths to reject directory traversal attempts.
  • Bug Fixes

    • Corrected Windows host-process behavior to reference the SMB CSI plugin directory for unmount safety.
  • Chores

    • Released version 1.20.1 with updated component images (provisioner, resizer, liveness probe, SMB plugin, node driver registrar).
    • Added Helm chart/support for v1.20.1 (including RBAC, controller/node manifests, and install notes) and refreshed chart defaults and index.
    • Updated installation docs and bumped Go/tooling versions/dependencies.

andyzhangx and others added 24 commits February 10, 2026 13:19
1e81e752e Merge pull request kubernetes-csi#293 from andyzhangx/patch-9
4dc185057 fix: upgrade to go1.25.7 to fix CVE-2025-61727

git-subtree-dir: release-tools
git-subtree-split: 1e81e752e87e027311be882279eac9e292705aa5
…ease-tools-1.20

[release-1.20] chore: Update csi release tools
…t/cherry-pick-1020-to-release-1.20

[release-1.20] chore: validate mount path
…ar5-1.20

[release-1.20] chore: upgrade CSI sidecar image versions
fix

fix

test: fix trivy failure

fix

fix
…t/cherry-pick-1026-to-release-1.20

[release-1.20] test: upgrade to golint2
…t/cherry-pick-1025-to-release-1.20

[release-1.20] fix: CVE-2026-24051
119a53c3c Merge pull request kubernetes-csi#294 from andyzhangx/patch-10
7c9aa9ba3 fix: upgrade to go1.25.7 to fix CVE-2026-25679

git-subtree-dir: release-tools
git-subtree-split: 119a53c3cce0c04fd422514252ea62c6ff4e3548
…t/cherry-pick-1029-to-release-1.20

[release-1.20] test: fix CVE-2026-25679 in trivy action
…t/cherry-pick-1030-to-release-1.20

[release-1.20] fix: Update csi release tools to fix CVEs
…ak-win

fix: SmbGlobalMapping leak due to wrong driverGlobalMountPath on Windows
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 17, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 17, 2026

Copy link
Copy Markdown

@dfajmon: This pull request references STOR-2922 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target only the "5.0.0" version, but multiple target versions were set.

Details

In response to this:

STOR-2922: Rebase to upstream v1.20.1 for OCP 5.0

Issue link
https://redhat.atlassian.net/browse/STOR-2922

Diff to upstream v1.20.1
kubernetes-csi/csi-driver-smb@v1.20.1...dfajmon:rebase-v1.20.1

Notes for reviewers

Summary of changes

Notable Bug Fixes

  • fix: SmbGlobalMapping leak due to wrong driverGlobalMountPath on Windows (#1037)

CVE Fixes

CVE-2026-24051, CVE-2026-25679

Cherry-picked commits

Commit Subject Author
2e329bec2 UPSTREAM: : Add OpenShift files Daniel Fajmon
8272127d0 UPSTREAM: : Updating ose-smb-csi-driver-container image to be consistent with ART for 4.22 AOS Automation Release Team
08dd9f000 UPSTREAM: 1103: Bump github.com/moby/spdystream to v0.5.1 Jaspreet Kaur
348d9abb4 UPSTREAM: : Updating ose-smb-csi-driver-container image to be consistent with ART for 5.0 AOS Automation Release Team

Upstream changelogs

Full changelog

kubernetes-csi/csi-driver-smb@v1.20.0...v1.20.1

Last rebase

#40

@openshift/storage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 17, 2026
@openshift-ci

openshift-ci Bot commented Jun 17, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci

openshift-ci Bot commented Jun 17, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dfajmon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 17, 2026
@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8de2743e-201a-4db1-9d1d-ed4985f185f1

📥 Commits

Reviewing files that changed from the base of the PR and between dd00a2e and 32b1af2.

⛔ Files ignored due to path filters (77)
  • go.sum is excluded by !**/*.sum
  • vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/internal/errorhandler/errorhandler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/state.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/asyncint64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/meter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/syncfloat64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/syncint64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/requirements.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id_readfile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.40.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.40.0/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.40.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.40.0/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.40.0/error_type.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.40.0/exception.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.40.0/otelconv/metric.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.40.0/schema.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/asm_darwin_arm64_gc.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_darwin_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_darwin_arm64_other.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_other_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_windows_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/syscall_darwin_arm64_gc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/plan9/syscall_plan9.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ioctl_unsigned.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/aliases.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/registry/key.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (1)
  • go.mod

Walkthrough

This PR releases SMB CSI driver v1.20.1 by adding path traversal validation to volume source and subDir fields, creating a versioned Helm chart and Kubernetes manifests, bumping container image tags, updating Go toolchain to 1.25.0, and providing installation documentation with updated compatibility information.

Changes

SMB CSI v1.20.1 Release

Layer / File(s) Summary
Path validation helper and unit tests
pkg/smb/smb.go, pkg/smb/smb_test.go
Introduces validatePath function that rejects directory traversal sequences (..) by tokenizing paths on / and \, with comprehensive table-driven tests for empty/valid/traversal patterns.
Server validation integration and Windows path fix
pkg/smb/controllerserver.go, pkg/smb/controllerserver_test.go, pkg/smb/nodeserver.go, pkg/smb/nodeserver_test.go, pkg/mounter/safe_mounter_host_process_windows.go
Wires validatePath into controller newSMBVolume (for source/subDir) and node NodeStageVolume (for assembled source); adds TestNewSMBVolumeExtended and TestNewSMBVolumeValidation tables plus traversal-rejection test case; corrects Windows mounter path from file.csi.azure.com to smb.csi.k8s.io.
v1.20.1 Helm chart
charts/v1.20.1/csi-driver-smb/Chart.yaml, charts/v1.20.1/csi-driver-smb/values.yaml, charts/v1.20.1/csi-driver-smb/templates/*
Complete new Helm chart with appVersion/version 1.20.1, values defining image repositories/tags/resources/feature flags, template helpers, and conditionally-rendered templates for CSIDriver, StorageClass, RBAC (ServiceAccounts/ClusterRoles), controller Deployment, and Linux/Windows node DaemonSets.
v1.20.1 Kubernetes manifests
deploy/v1.20.1/*
Adds versioned static manifests: CSIDriver supporting Persistent/Ephemeral modes, controller Deployment with provisioner/resizer/liveness sidecars on shared /csi socket, Linux node DaemonSet with CSI registration, Windows node DaemonSet, Windows hostProcess DaemonSet with init container, and RBAC resources.
Image tag updates
deploy/csi-smb-*.yaml, charts/latest/csi-driver-smb/..., charts/README.md
Bumps csi-provisioner v6.0.0→v6.1.1, csi-resizer v2.0.0→v2.1.0, livenessprobe v2.17.0→v2.18.0, node-driver-registrar v2.15.0→v2.16.0, and smbplugin v1.20.0→v1.20.1 across legacy deploy and latest chart assets.
Build tooling and dependencies
.golangci.yml, go.mod, release-tools/prow.sh, Makefile, hack/verify-helm-chart-index.sh
Rewrites golangci.yml to version 2 with staticcheck/depguard; upgrades go.mod to Go 1.25.0 with indirect dependency bumps (logr, go-cmp, OTel, sys); updates prow.sh Go build version to 1.25.8; bumps IMAGE_VERSION to v1.20.1; disables fatal exit in Helm index verification.
Documentation and chart index
docs/install-csi-driver-v1.20.1.md, docs/install-smb-csi-driver.md, README.md, charts/index.yaml
Adds v1.20.1 install guide with remote/local deployment steps, updates v1.20.x documentation link, updates README compatibility table, adds v1.20.1 chart index entries, and rewrites legacy entry URLs from master to release-1.20 branch.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested reviewers

  • RomanBednar

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name Status Explanation Resolution
Container-Privileges ❌ Error Multiple container privilege escalations found: privileged: true in smb containers (deploy/v1.20.1/csi-smb-controller.yaml, deploy/v1.20.1/csi-smb-node.yaml, and chart templates), `hostNetwork: t... Review privileged settings in deploy/v1.20.1/ and charts/v1.20.1/ manifests; document CSI driver privilege justification in comments or PR description.
Docstring Coverage ⚠️ Warning Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Topology-Aware Scheduling Compatibility ⚠️ Warning The PR introduces a DaemonSet with a wildcard toleration (operator: "Exists" with no key) that will inadvertently schedule the SMB CSI node component to resource-constrained arbiter nodes on Two-No... The csi-smb-node DaemonSet in deploy/v1.20.1/csi-smb-node.yaml (line 30) and its Helm template equivalent use a wildcard toleration that accepts all taints, including node-role.kubernetes.io/arbiter:NoSchedule. On TNA clusters, arbiter n...
✅ Passed checks (12 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly reflects the main purpose of this PR: rebasing the SMB CSI driver repository to upstream v1.20.1 for OpenShift Container Platform 5.0.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed This PR is not subject to the Ginkgo test naming check. The codebase uses standard Go testing (testing.T) for unit tests with table-driven test cases using static string descriptions in 'desc' fiel...
Test Structure And Quality ✅ Passed PR adds four standard Go tests (not Ginkgo), all meeting quality requirements: single responsibility (each test/case addresses one behavior), no cluster resource cleanup needed (unit tests), no tim...
Microshift Test Compatibility ✅ Passed New Ginkgo e2e tests added use only standard Kubernetes APIs (core/v1, apps/v1, storage/v1). No OpenShift-specific or MicroShift-unavailable APIs detected. Tests are MicroShift-compatible.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo e2e tests were added in this PR. The changes include only unit tests (using Go's testing.T) which do not interact with a cluster and therefore have no SNO compatibility concerns.
Ote Binary Stdout Contract ✅ Passed No OTE Binary Stdout Contract violations found. All modified Go files contain only business logic and test code with no direct stdout writes in process-level code.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed New Ginkgo e2e tests use cluster-internal DNS (smb-server.default.svc.cluster.local) with no hardcoded IPv4 addresses, IPv4-only assumptions, or external connectivity requirements. Compatible with...
No-Weak-Crypto ✅ Passed No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) was introduced in modified files. Only security-enhancing changes detected (path traversal validation).
No-Sensitive-Data-In-Logs ✅ Passed No sensitive data (passwords, tokens, API keys, PII, or credentials) is exposed in logs. Error messages only log validated paths; sensitive options use existing sanitization.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot added do-not-merge/invalid-owners-file Indicates that a PR should not merge because it has an invalid OWNERS file in it. and removed do-not-merge/invalid-owners-file Indicates that a PR should not merge because it has an invalid OWNERS file in it. labels Jun 17, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

Note

Due to the large number of review comments, Critical severity comments were prioritized as inline comments.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
deploy/csi-smb-node-windows.yaml (1)

36-36: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Inconsistent sidecar versions in Windows node DaemonSet vs Linux node and Helm values.

The Windows node DaemonSet has livenessprobe (v2.16.0) and csi-node-driver-registrar (v2.15.0), but the Linux node DaemonSet and Helm values use v2.18.0 and v2.16.0 respectively. All deployment artifacts for a release should use consistent sidecar versions to ensure parity across platforms and avoid support fragmentation.

🔧 Proposed fix: Update Windows node sidecar versions to match Linux node and Helm values
        - name: liveness-probe
-          image: registry.k8s.io/sig-storage/livenessprobe:v2.16.0
+          image: registry.k8s.io/sig-storage/livenessprobe:v2.18.0
           imagePullPolicy: IfNotPresent
           command:
             - "csi-node-driver-registrar.exe"
        - name: node-driver-registrar
-          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.15.0
+          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.16.0
           imagePullPolicy: IfNotPresent

Also applies to: 56-56

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/csi-smb-node-windows.yaml` at line 36, Update the Windows node
DaemonSet sidecar versions to match the Linux node DaemonSet and Helm values for
consistency across platforms. Change the livenessprobe image version from
v2.16.0 to v2.18.0 at line 36, and update the csi-node-driver-registrar image
version from v2.15.0 to v2.16.0 at line 56. These changes ensure version parity
between Windows and Linux deployments as specified in the Helm values.
hack/verify-helm-chart-index.sh (1)

29-37: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Restore fail-fast verification and fix branch-agnostic local path mapping.

Line 36 suppresses real verification failures. Combined with Line 29’s master-specific path rewrite, URLs on release-1.20 won’t map to valid local files, and the script can pass when checks actually fail.

Proposed fix
-        local=${PKG_ROOT}${url#*master}
+        local_path="${PKG_ROOT}$(echo "$url" | sed -E 's#^https://raw\.githubusercontent\.com/kubernetes-csi/csi-driver-smb/[^/]+##')"
-        echo "check whether $local exists"
-        if [ -f "$local" ]
+        echo "check whether $local_path exists"
+        if [ -f "$local_path" ]
         then
-            echo "$local exists"
+            echo "$local_path exists"
         else
-            echo "$local does not exist"
-            `#exit` 1
+            echo "$local_path does not exist"
+            exit 1
         fi
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/verify-helm-chart-index.sh` around lines 29 - 37, The script has two
related issues preventing proper verification: the `exit 1` statement on line 36
is commented out, suppressing actual verification failures, and the local path
mapping on line 29 uses a hardcoded `master` branch reference that won't work
for other branches like `release-1.20`. To fix this, uncomment the `exit 1`
after the "does not exist" message to restore fail-fast verification, and
replace the hardcoded `master` in the path rewriting logic with a
branch-agnostic approach that dynamically extracts the correct path component
regardless of which branch the URL references.
🟠 Major comments (16)
pkg/smb/controllerserver.go-501-506 (1)

501-506: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate volumeID-derived paths too, not only create-time params.

Line 501 adds strong checks for CreateVolume inputs, but DeleteVolume and copyFromVolume still accept source/subDir/uuid from getSmbVolFromID without equivalent validation. A crafted volumeID containing traversal segments can still flow into getInternalMountPath/getInternalVolumePath and reach filesystem operations.

Suggested hardening (centralized in getSmbVolFromID)
 func getSmbVolFromID(id string) (*smbVolume, error) {
 	segments := strings.Split(id, separator)
 	if len(segments) < 2 {
 		return nil, fmt.Errorf("could not split %q into server and subDir", id)
 	}
 	source := segments[0]
 	if !strings.HasPrefix(segments[0], "//") {
 		source = "//" + source
 	}
 	vol := &smbVolume{
 		id:     id,
 		source: source,
 		subDir: segments[1],
 	}
+	if err := validatePath(vol.source); err != nil {
+		return nil, fmt.Errorf("invalid source %q in volume id: %w", vol.source, err)
+	}
+	if err := validatePath(vol.subDir); err != nil {
+		return nil, fmt.Errorf("invalid subDir %q in volume id: %w", vol.subDir, err)
+	}
 	if len(segments) >= 3 {
 		vol.uuid = segments[2]
+		if err := validatePath(vol.uuid); err != nil {
+			return nil, fmt.Errorf("invalid uuid %q in volume id: %w", vol.uuid, err)
+		}
 	}
 	if len(segments) >= 4 {
 		vol.onDelete = segments[3]
 	}
 	return vol, nil
 }

As per coding guidelines, path traversal defenses must validate untrusted path-like input at trust boundaries (including ../ rejection), which applies to parsed volumeID components as well.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/smb/controllerserver.go` around lines 501 - 506, The path validation
added for CreateVolume inputs (using validatePath for vol.source and vol.subDir)
does not apply to volumeID-derived paths used in DeleteVolume and copyFromVolume
operations. Add equivalent validation inside the getSmbVolFromID function to
validate the source, subDir, and uuid components parsed from the volumeID before
they are used by callers. Apply the same validatePath checks to reject traversal
segments (like ../) in volumeID components at the trust boundary, ensuring
getInternalMountPath and getInternalVolumePath only receive validated paths
regardless of their origin.

Source: Coding guidelines

deploy/v1.20.1/csi-smb-controller.yaml-17-19 (1)

17-19: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden controller pod: avoid hostNetwork/privileged and set explicit no-escalation controls.

This deployment currently runs with hostNetwork: true and a privileged driver container. For the controller path, that is a large attack-surface increase. Also set allowPrivilegeEscalation: false on non-privileged sidecars explicitly.

As per coding guidelines: “No hostPID, hostNetwork, hostIPC, privileged: true” and “allowPrivilegeEscalation: false”.

Also applies to: 63-90, 135-139

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/v1.20.1/csi-smb-controller.yaml` around lines 17 - 19, The
csi-smb-controller deployment currently has hostNetwork set to true, which
creates unnecessary security risks. Remove the hostNetwork: true configuration
from the pod spec in the csi-smb-controller-deployment (and other affected
deployments at lines 63-90 and 135-139). Additionally, add securityContext with
allowPrivilegeEscalation: false to all non-privileged container specifications
within the controller pod to follow security hardening guidelines. Ensure that
privileged containers are only used when absolutely necessary and document why
they require elevated privileges.

Sources: Coding guidelines, Linters/SAST tools

deploy/v1.20.1/csi-smb-node.yaml-48-51 (1)

48-51: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set explicit allowPrivilegeEscalation: false for non-privileged sidecars.

liveness-probe and node-driver-registrar already drop capabilities; add explicit no-escalation to complete the hardening baseline.

As per coding guidelines: “allowPrivilegeEscalation: false” for container security context in manifests.

Also applies to: 74-77

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/v1.20.1/csi-smb-node.yaml` around lines 48 - 51, The securityContext
for the liveness-probe and node-driver-registrar containers in the CSI SMB node
manifest is incomplete. Add the explicit security hardening directive
allowPrivilegeEscalation: false to both containers' securityContext blocks (in
addition to the existing capabilities drop configuration). This applies to both
the liveness-probe and node-driver-registrar sidecars to fully comply with the
security baseline requirements.

Sources: Coding guidelines, Linters/SAST tools

deploy/v1.20.1/csi-smb-node-windows-hostprocess.yaml-28-35 (1)

28-35: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Document and constrain the HostProcess SYSTEM + hostNetwork exception explicitly.

This is a high-privilege runtime profile. If it is intentionally required, add explicit justification and compensating controls (policy/namespace constraints) in-manifest or adjacent release docs.

As per coding guidelines: “No hostPID, hostNetwork, hostIPC, privileged: true” and “running as root without justification.”

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/v1.20.1/csi-smb-node-windows-hostprocess.yaml` around lines 28 - 35,
The securityContext configuration in the csi-smb-node-windows-hostprocess.yaml
file specifies a high-privilege runtime profile with hostProcess set to true,
runAsUserName set to NT AUTHORITY\SYSTEM, and hostNetwork set to true, but
provides no explicit justification or compensating controls. Add clear inline
comments or documentation explaining the security rationale for this exception
and implement compensating controls such as namespace constraints, RBAC
policies, or pod security policy restrictions either directly in the manifest or
in adjacent release documentation to justify and constrain this high-privilege
configuration.

Sources: Coding guidelines, Linters/SAST tools

deploy/v1.20.1/csi-smb-node-windows-hostprocess.yaml-43-95 (1)

43-95: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Add health checks for HostProcess node components.

This DaemonSet has no liveness/readiness checks (or liveness sidecar), so stuck registrar/plugin processes are harder for kubelet to detect and recover.

As per coding guidelines: “Liveness + readiness probes defined.” This also deviates from the health-check pattern already used in sibling node manifests.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/v1.20.1/csi-smb-node-windows-hostprocess.yaml` around lines 43 - 95,
Add livenessProbe and readinessProbe sections to both the node-driver-registrar
and smb containers in the DaemonSet spec. For each container, define appropriate
health checks that validate the process is healthy and responding. Use probes
suitable for Windows HostProcess containers, such as HTTPGet probes pointing to
the registration socket endpoint for node-driver-registrar and the CSI endpoint
for the smb container, with reasonable initial delay, timeout, and period
values. Ensure both containers have consistent probe configurations following
the health-check pattern used in sibling node manifests.

Source: Coding guidelines

deploy/v1.20.1/rbac-csi-smb.yaml-40-42 (1)

40-42: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Scope Secret access to least privilege instead of cluster-wide get.

Both controller and node service accounts receive cluster-scoped Secret read permissions. If either workload is compromised, this enables cross-namespace secret exfiltration.

As per coding guidelines: “RBAC: least privilege; no cluster-admin for workloads” and static-analysis warning “No ServiceAccount/Node should be able to read all secrets.”

Also applies to: 91-111

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/v1.20.1/rbac-csi-smb.yaml` around lines 40 - 42, The RBAC rule
granting cluster-wide secret read permissions violates least privilege
principles. Instead of allowing the "get" verb on all "secrets" resources across
all namespaces, scope secret access to only what is necessary. Either restrict
access to specific namespaces by adding a namespace field, limit to specific
secret names by adding a resourceNames field, or remove secret access entirely
if the service accounts do not actually require it. Apply the same least
privilege scoping fix to all similar rules referenced in the range 91-111 where
the same broad cluster-scoped secret access pattern appears.

Sources: Coding guidelines, Linters/SAST tools

deploy/v1.20.1/csi-smb-node.yaml-29-30 (1)

29-30: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Replace wildcard toleration to avoid unintended arbiter/special-node scheduling.

operator: "Exists" tolerates every taint, which can place this DaemonSet onto resource-constrained or restricted nodes (including arbiter nodes).

Suggested change
       tolerations:
-        - operator: "Exists"
+        - key: "node-role.kubernetes.io/master"
+          operator: "Exists"
+          effect: "NoSchedule"
+        - key: "node-role.kubernetes.io/control-plane"
+          operator: "Exists"
+          effect: "NoSchedule"
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+          effect: "NoSchedule"

As per coding guidelines: “Flag broad or wildcard tolerations … may inadvertently schedule to resource-constrained TNA arbiter nodes.”

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/v1.20.1/csi-smb-node.yaml` around lines 29 - 30, The tolerations
section currently uses a wildcard toleration with operator: "Exists" which
tolerates all taints and can inadvertently schedule the CSI SMB node DaemonSet
onto arbiter nodes or resource-constrained nodes. Replace this broad toleration
with specific tolerations that target only the intended node types by specifying
the exact key and effect combinations (such as specific node-role taints) rather
than using the wildcard Exists operator. This ensures the DaemonSet only
schedules on appropriate worker nodes and avoids restricted or special-purpose
nodes.

Source: Coding guidelines

charts/v1.20.1/csi-driver-smb/templates/csi-smb-controller.yaml-48-49 (1)

48-49: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden controller defaults: avoid host networking and privileged mode.

Line 48 and Line 171 enable high-risk defaults (hostNetwork: true, privileged: true) for the controller deployment. These should be opt-in with explicit justification, not defaults.

Suggested patch
-      hostNetwork: true
+      hostNetwork: false
@@
           securityContext:
-            privileged: true
+            allowPrivilegeEscalation: false
+            privileged: false
             capabilities:
               drop:
               - ALL

As per coding guidelines: “Flag privileged: true, hostNetwork … in container/K8s manifests” and “securityContext … allowPrivilegeEscalation: false.”

Also applies to: 170-174

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/v1.20.1/csi-driver-smb/templates/csi-smb-controller.yaml` around lines
48 - 49, The csi-smb-controller deployment has insecure security defaults with
hostNetwork set to true on line 48 and privileged set to true on line 171. These
high-risk settings should not be enabled by default. Change hostNetwork and
privileged to false (or configurable via .Values) to follow the principle of
least privilege, and add securityContext with allowPrivilegeEscalation: false to
prevent privilege escalation. Make these restrictive settings the default,
allowing users to opt-in to elevated privileges only when explicitly needed.

Source: Coding guidelines

charts/v1.20.1/csi-driver-smb/values.yaml-112-113 (1)

112-113: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Narrow the default Linux toleration; wildcard toleration is too broad for TNA.

Line 113 (operator: "Exists") tolerates all taints and can place this workload on arbiter nodes. That conflicts with topology constraints for arbiter usage.

Suggested patch
   tolerations:
-    - operator: "Exists"
+    - key: "node-role.kubernetes.io/master"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node-role.kubernetes.io/control-plane"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "CriticalAddonsOnly"
+      operator: "Exists"

As per coding guidelines: “Flag broad or wildcard tolerations (tolerating all NoSchedule taints) in operator code and manifests that may inadvertently schedule to resource-constrained TNA arbiter nodes.”

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/v1.20.1/csi-driver-smb/values.yaml` around lines 112 - 113, The
tolerations configuration in the values.yaml file uses operator "Exists" in the
Linux toleration block, which is a wildcard that tolerates all taints and can
inadvertently schedule the workload on resource-constrained arbiter nodes.
Instead of using the broad operator "Exists" toleration, specify explicit taint
keys and values that the workload should tolerate, ensuring that arbiter-related
taints are not included in the toleration list. This will restrict pod placement
to appropriate nodes only and prevent scheduling conflicts with topology
constraints.

Source: Coding guidelines

charts/v1.20.1/csi-driver-smb/templates/csi-smb-node-windows-hostprocess.yaml-52-56 (1)

52-56: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Hardcoded kubelet path breaks custom configurations.

The initContainer hardcodes C:\\var\\lib\\kubelet while the smb container's CSI_ENDPOINT at line 110 uses {{ .Values.windows.kubelet }}. If a user customizes .Values.windows.kubelet, the directory will be created at the wrong path, causing the CSI socket to be missing.

🐛 Proposed fix
          command:
            - "powershell.exe"
            - "-c"
-            - "New-Item -ItemType Directory -Path C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\ -Force"
+            - "New-Item -ItemType Directory -Path {{ .Values.windows.kubelet | replace "\\" "\\\\" }}\\plugins\\{{ .Values.driver.name }}\\ -Force"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@charts/v1.20.1/csi-driver-smb/templates/csi-smb-node-windows-hostprocess.yaml`
around lines 52 - 56, The initContainer command hardcodes the kubelet path as
C:\\var\\lib\\kubelet in the New-Item PowerShell command, but the smb container
uses {{ .Values.windows.kubelet }} for its CSI_ENDPOINT, creating inconsistency
when users customize the kubelet path. Replace the hardcoded
C:\\var\\lib\\kubelet path in the New-Item -Path parameter with {{
.Values.windows.kubelet }} to ensure the directory is created at the correct
location matching the CSI_ENDPOINT configuration.
charts/v1.20.1/csi-driver-smb/templates/csi-proxy-windows.yaml-38-39 (1)

38-39: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing serviceAccountName in pod spec.

Other templates in this chart (e.g., csi-smb-node.yaml line 34, csi-smb-node-windows-hostprocess.yaml line 35) set serviceAccountName: {{ .Values.serviceAccount.node }}. This template is missing it, which will cause the pod to use the default ServiceAccount and potentially lack required permissions.

🐛 Proposed fix
      priorityClassName: {{ .Values.priorityClassName | quote }}
+      serviceAccountName: {{ .Values.serviceAccount.node }}
      {{- include "smb.pullSecrets" . | indent 6 }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/v1.20.1/csi-driver-smb/templates/csi-proxy-windows.yaml` around lines
38 - 39, The csi-proxy-windows.yaml template is missing the serviceAccountName
field in its pod specification, which causes the pod to default to using the
default ServiceAccount and potentially lack required permissions. Add the
serviceAccountName field with the value {{ .Values.serviceAccount.node }} to the
pod spec in the csi-proxy-windows.yaml template, following the same pattern used
in the csi-smb-node.yaml and csi-smb-node-windows-hostprocess.yaml templates.
This field should be added alongside the existing priorityClassName field to
ensure the pod uses the correct service account with appropriate permissions.
charts/v1.20.1/csi-driver-smb/templates/csi-smb-node-windows-hostprocess.yaml-74-80 (1)

74-80: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Additional hardcoded paths inconsistent with templated values.

Lines 78 and 80 hardcode C:\\var\\lib\\kubelet while line 76 uses {{ .Values.windows.kubelet }}. This inconsistency will cause registration failures if the kubelet path is customized.

🐛 Proposed fix
          env:
            - name: CSI_ENDPOINT
              value: unix://{{ .Values.windows.kubelet }}\plugins\{{ .Values.driver.name }}\csi.sock
            - name: DRIVER_REG_SOCK_PATH
-              value: C:\\var\\lib\\kubelet\\plugins\\{{ .Values.driver.name }}\\csi.sock
+              value: {{ .Values.windows.kubelet | replace "\\" "\\\\" }}\\plugins\\{{ .Values.driver.name }}\\csi.sock
            - name: PLUGIN_REG_DIR
-              value: C:\\var\\lib\\kubelet\\plugins_registry\\
+              value: {{ .Values.windows.kubelet | replace "\\" "\\\\" }}\\plugins_registry\\
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@charts/v1.20.1/csi-driver-smb/templates/csi-smb-node-windows-hostprocess.yaml`
around lines 74 - 80, The environment variables DRIVER_REG_SOCK_PATH and
PLUGIN_REG_DIR contain hardcoded kubelet paths (C:\\var\\lib\\kubelet) that are
inconsistent with the templated value used in CSI_ENDPOINT ({{
.Values.windows.kubelet }}). Replace the hardcoded C:\\var\\lib\\kubelet
prefixes in both DRIVER_REG_SOCK_PATH and PLUGIN_REG_DIR with the same {{
.Values.windows.kubelet }} template variable used in CSI_ENDPOINT, ensuring that
all kubelet path references remain consistent and respond to customization
through the values configuration.
.github/workflows/trivy.yaml-2-2 (1)

2-2: ⚠️ Potential issue | 🟠 Major

Fix mutable action reference and harden workflow permissions and checkout settings.

Line 22 uses a mutable action reference (aquasecurity/trivy-action@master) which should be pinned to a specific SHA. Additionally, the actions/checkout step should set persist-credentials: false, and the workflow should define an explicit permissions block with least-privilege GITHUB_TOKEN scoping.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trivy.yaml at line 2, The workflow file has three security
issues that need to be addressed: the aquasecurity/trivy-action reference uses a
mutable `@master` tag which should be pinned to a specific SHA for
reproducibility, the actions/checkout step is missing the persist-credentials:
false setting to reduce credential exposure, and the workflow lacks an explicit
permissions block at the top level to implement least-privilege access control
for the GITHUB_TOKEN. Add a permissions block after the on trigger section with
minimal required scopes, update the actions/checkout step to include
persist-credentials: false, and replace the `@master` reference in the
aquasecurity/trivy-action with a pinned SHA version.

Sources: Coding guidelines, Linters/SAST tools

.github/workflows/linux.yaml-42-43 (1)

42-43: ⚠️ Potential issue | 🟠 Major

Pin goveralls to an exact version instead of @latest.

Line 43 uses go install github.com/mattn/goveralls@latest, which is non-reproducible and increases supply-chain risk. Pinning to an exact version ensures build consistency and reduces exposure to unexpected upstream changes.

Suggested patch
-    - name: Install goveralls
-      run: go install github.com/mattn/goveralls@latest
+    - name: Install goveralls
+      run: go install github.com/mattn/goveralls@v2.1.0
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/linux.yaml around lines 42 - 43, In the "Install
goveralls" step, replace the `@latest` version specifier in the go install command
with a specific pinned version number. Change the command from `go install
github.com/mattn/goveralls@latest` to `go install
github.com/mattn/goveralls@<specific-version>` where the specific version should
be replaced with an exact version tag of the goveralls project to ensure
reproducible builds and reduce supply-chain risk.
.github/workflows/ubuntu-e2e.yml-19-19 (1)

19-19: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update Go version to match project target.

The workflow specifies go-version: ^1.16, which is outdated. Based on the project's current go.mod configuration (Go 1.25), update this to use the current project version.

📦 Proposed fix for Go version
     - name: Set up Go 1.x
       uses: actions/setup-go@...
       with:
-        go-version: ^1.16
+        go-version: "1.25"
       id: go
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ubuntu-e2e.yml at line 19, Update the go-version parameter
in the Ubuntu E2E workflow to match the project's current Go target version. In
the ubuntu-e2e.yml file, change the go-version value from the outdated ^1.16 to
^1.25 to align with the Go version specified in the project's go.mod
configuration.
go.mod-95-95 (1)

95-95: ⚠️ Potential issue | 🟠 Major

Upgrade OpenTelemetry packages to address known HIGH severity vulnerabilities.

The current go.mod specifies OpenTelemetry v1.40.0 packages, which are vulnerable to two security advisories:

  • GHSA-mh2q-q3fh-2475: DoS amplification in W3C baggage header extraction (fixed in v1.41.0). An attacker can send multiple baggage: header fields to trigger excessive CPU and memory allocations.
  • GHSA-hfvc-g4fc-pqhx: PATH hijacking in OpenTelemetry SDK on BSD/Solaris platforms when reading host ID (fixed in v1.43.0). The kenv command is invoked without an absolute path, allowing local attackers to inject a malicious binary.

Upgrade go.opentelemetry.io/otel/* packages to v1.43.0 or later (v1.43.0 addresses both vulnerabilities) or at minimum v1.41.0 for the baggage fix.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 95, The go.mod file currently specifies OpenTelemetry
packages at v1.40.0, which contain two HIGH severity vulnerabilities. Locate all
go.opentelemetry.io/otel/* package entries in go.mod and upgrade them to v1.43.0
or later to address both security issues (GHSA-mh2q-q3fh-2475 and
GHSA-hfvc-g4fc-pqhx). At minimum, upgrade to v1.41.0 if v1.43.0 is not feasible,
though v1.43.0 is recommended as it fixes both vulnerabilities. Use go get to
update these dependencies or manually edit the version constraints in go.mod to
reflect the new version across all OpenTelemetry packages.
🟡 Minor comments (3)
deploy/v1.20.1/csi-smb-node-windows.yaml-46-50 (1)

46-50: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add CPU limits for each container to satisfy manifest resource policy.

This manifest sets memory limits but omits CPU limits across all three containers.

As per coding guidelines: “Resource limits (cpu, memory) on every container.”

Also applies to: 78-82, 131-135

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/v1.20.1/csi-smb-node-windows.yaml` around lines 46 - 50, Add CPU
limits to the resource limits specification for all three containers in the
manifest. For each container's resources.limits section (appearing at lines
46-50, 78-82, and 131-135), add a cpu field with an appropriate limit value
alongside the existing memory limit. This ensures compliance with the resource
policy requirement that every container must have both cpu and memory limits
defined.

Source: Coding guidelines

charts/v1.20.1/csi-driver-smb/templates/NOTES.txt-5-5 (1)

5-5: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix the NOTES pod selector label key/value pairing.

Line 5 uses app.kubernetes.io/name={{ .Release.Name }}, but app.kubernetes.io/name is chart-name based in this chart, so this watch command can return no pods for the release.

Suggested patch
-  kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch
+  kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/instance={{ .Release.Name }}" --watch
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/v1.20.1/csi-driver-smb/templates/NOTES.txt` at line 5, The kubectl
command in the NOTES.txt file uses an incorrect label selector. The selector
`app.kubernetes.io/name={{ .Release.Name }}` does not match the actual pod
labels in this chart, as `app.kubernetes.io/name` is set to the chart name, not
the release name. Replace the label selector in the kubectl watch command to use
the correct label key that actually matches the release instance, such as using
`app.kubernetes.io/instance` with the release name value, so the command will
correctly watch pods deployed for this specific release.
.github/workflows/ubuntu-e2e.yml-11-11 (1)

11-11: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove the disabled workflow or document its future use.

The if: false condition disables this entire job. If the E2E workflow is not ready, remove the file entirely rather than committing disabled code. If it is intended for future use, add a clear comment explaining why it's disabled and when it will be enabled.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ubuntu-e2e.yml at line 11, The ubuntu-e2e.yml workflow is
disabled with the `if: false` condition. Either remove this workflow file
entirely if it is not currently needed for the project, or if it is intended for
future use, replace the `if: false` condition with a descriptive comment
explaining why the workflow is disabled and the expected timeline for when it
will be re-enabled.

Source: Coding guidelines

🧹 Nitpick comments (2)
docs/install-csi-driver-v1.20.1.md (1)

26-31: 💤 Low value

Add language specification to code fence for example output.

The fenced code block starting at line 26 should include a language identifier (e.g., text or console) to comply with markdown linting standards and improve readability.

✏️ Proposed fix: Add language to code fence
 example output:

-```
+```text
 NAME                                        READY   STATUS    RESTARTS   AGE     IP            NODE                                NOMINATED NODE   READINESS GATES
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/install-csi-driver-v1.20.1.md` around lines 26 - 31, The markdown code
fence starting at line 26 is missing a language identifier after the opening
triple backticks. Add a language specification (such as `text` or `console`)
immediately after the opening triple backticks of the code fence that displays
the kubectl output example. This will ensure compliance with markdown linting
standards and improve readability of the documentation.
charts/v1.20.1/csi-driver-smb/templates/csi-proxy-windows.yaml (1)

40-48: ⚡ Quick win

Container missing resources and securityContext.

Other containers in this chart define resource limits and drop all capabilities. This container is missing both, which is inconsistent with the security posture of the other templates.

♻️ Proposed enhancement
      containers:
        - name: csi-proxy
 {{- if hasPrefix "/" .Values.image.csiproxy.repository }}
          image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiproxy.repository }}:{{ .Values.image.csiproxy.tag }}"
 {{- else }}
          image: "{{ .Values.image.csiproxy.repository }}:{{ .Values.image.csiproxy.tag }}"
 {{- end }}
          imagePullPolicy: {{ .Values.image.csiproxy.pullPolicy }}
+          resources: {{- toYaml .Values.windows.csiproxy.resources | nindent 12 }}
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
 {{- end -}}

Note: This requires adding a resources section under .Values.windows.csiproxy in values.yaml.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/v1.20.1/csi-driver-smb/templates/csi-proxy-windows.yaml` around lines
40 - 48, The csi-proxy container in the csi-proxy-windows.yaml template is
missing resource limits and security context configurations that are present in
other containers throughout the chart. Add a resources section that references
values from .Values.windows.csiproxy for CPU and memory limits and requests, and
add a securityContext section that drops all capabilities to maintain
consistency with the security posture of other templates in this chart. This
will also require adding a corresponding resources configuration block under
.Values.windows.csiproxy in the values.yaml file.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codespell.yml:
- Line 5: Replace the mutable action references with full commit SHAs for
improved security. On the `actions/checkout@v6` action, replace the version tag
with a full commit SHA and add `persist-credentials: false` to prevent
credential persistence. On the `codespell-project/actions-codespell@master`
action, replace the `@master` mutable ref with a full commit SHA. Additionally,
add an explicit minimal `permissions` block to the job containing `contents:
read` to declare the minimum required permissions following the principle of
least privilege.

In @.github/workflows/pluto.yaml:
- Line 14: The actions/checkout action is pinned to a version tag (`@v6`) instead
of a full commit SHA, which creates a security vulnerability. Replace the `@v6`
tag with the full commit SHA from the actions/checkout releases page.
Additionally, add the persist-credentials: false option to the uses
configuration to limit GitHub token exposure. Apply this fix to all occurrences
of the actions/checkout action in the workflow file.

In @.github/workflows/ubuntu-e2e.yml:
- Line 17: Replace the version tag v6 in the actions/setup-go action with its
full commit SHA. Additionally, add persist-credentials: false to restrict token
exposure. Apply the same changes to the other GitHub Action reference mentioned
at line 23. Ensure both actions are pinned to specific commit SHAs rather than
version tags to comply with CI/CD security guidelines.

In @.golangci.yml:
- Around line 22-37: The exclusions section containing generated, presets, and
rules is incorrectly indented and nested under the linters key in the
`.golangci.yml` file. Move the entire exclusions block (starting with
"generated: lax" and including all the presets and rules) to the root level of
the configuration file so it sits at the same indentation level as the linters
section, not nested within it.
- Around line 3-27: The depguard configuration is incorrectly nested under
linters.settings.staticcheck when it should have its own section at
linters.settings.depguard. Additionally, depguard needs to be explicitly added
to the linters.enable list alongside staticcheck to be activated. Move the
depguard rules block from its current location under staticcheck to
linters.settings.depguard, add depguard to linters.enable, move the exclusions
block to the root level of the configuration (not nested under linters), and
consider adding additional linters such as errcheck, gosimple, and govet to the
linters.enable list to improve code quality checks for this production CSI
driver project.

In `@charts/v1.20.1/csi-driver-smb/templates/csi-proxy-windows.yaml`:
- Around line 30-33: The nodeSelector configuration in the
csi-proxy-windows.yaml template is missing the mandatory kubernetes.io/os:
windows selector that ensures pods run on Windows nodes. Update the nodeSelector
block to include both the mandatory kubernetes.io/os: windows selector and merge
it with the optional nodeSelector values from
.Values.windows.csiproxy.nodeSelector, similar to how it's implemented in
csi-smb-node-windows.yaml. This ensures the DaemonSet will only schedule on
Windows nodes regardless of what optional selectors are provided in the values.

In `@go.mod`:
- Line 120: The go.mod file contains go.opentelemetry.io packages
(go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric,
go.opentelemetry.io/otel/sdk, and go.opentelemetry.io/otel/trace) at v1.40.0
which have unpatched HIGH severity security vulnerabilities. Upgrade all of
these opentelemetry packages to v1.43.0 or later to address both
GHSA-mh2q-q3fh-2475 and GHSA-hfvc-g4fc-pqhx vulnerabilities. Run go get to
update these dependencies and ensure all transitive dependencies are also
resolved to compatible versions.

---

Outside diff comments:
In `@deploy/csi-smb-node-windows.yaml`:
- Line 36: Update the Windows node DaemonSet sidecar versions to match the Linux
node DaemonSet and Helm values for consistency across platforms. Change the
livenessprobe image version from v2.16.0 to v2.18.0 at line 36, and update the
csi-node-driver-registrar image version from v2.15.0 to v2.16.0 at line 56.
These changes ensure version parity between Windows and Linux deployments as
specified in the Helm values.

In `@hack/verify-helm-chart-index.sh`:
- Around line 29-37: The script has two related issues preventing proper
verification: the `exit 1` statement on line 36 is commented out, suppressing
actual verification failures, and the local path mapping on line 29 uses a
hardcoded `master` branch reference that won't work for other branches like
`release-1.20`. To fix this, uncomment the `exit 1` after the "does not exist"
message to restore fail-fast verification, and replace the hardcoded `master` in
the path rewriting logic with a branch-agnostic approach that dynamically
extracts the correct path component regardless of which branch the URL
references.

---

Major comments:
In @.github/workflows/linux.yaml:
- Around line 42-43: In the "Install goveralls" step, replace the `@latest`
version specifier in the go install command with a specific pinned version
number. Change the command from `go install github.com/mattn/goveralls@latest`
to `go install github.com/mattn/goveralls@<specific-version>` where the specific
version should be replaced with an exact version tag of the goveralls project to
ensure reproducible builds and reduce supply-chain risk.

In @.github/workflows/trivy.yaml:
- Line 2: The workflow file has three security issues that need to be addressed:
the aquasecurity/trivy-action reference uses a mutable `@master` tag which should
be pinned to a specific SHA for reproducibility, the actions/checkout step is
missing the persist-credentials: false setting to reduce credential exposure,
and the workflow lacks an explicit permissions block at the top level to
implement least-privilege access control for the GITHUB_TOKEN. Add a permissions
block after the on trigger section with minimal required scopes, update the
actions/checkout step to include persist-credentials: false, and replace the
`@master` reference in the aquasecurity/trivy-action with a pinned SHA version.

In @.github/workflows/ubuntu-e2e.yml:
- Line 19: Update the go-version parameter in the Ubuntu E2E workflow to match
the project's current Go target version. In the ubuntu-e2e.yml file, change the
go-version value from the outdated ^1.16 to ^1.25 to align with the Go version
specified in the project's go.mod configuration.

In `@charts/v1.20.1/csi-driver-smb/templates/csi-proxy-windows.yaml`:
- Around line 38-39: The csi-proxy-windows.yaml template is missing the
serviceAccountName field in its pod specification, which causes the pod to
default to using the default ServiceAccount and potentially lack required
permissions. Add the serviceAccountName field with the value {{
.Values.serviceAccount.node }} to the pod spec in the csi-proxy-windows.yaml
template, following the same pattern used in the csi-smb-node.yaml and
csi-smb-node-windows-hostprocess.yaml templates. This field should be added
alongside the existing priorityClassName field to ensure the pod uses the
correct service account with appropriate permissions.

In `@charts/v1.20.1/csi-driver-smb/templates/csi-smb-controller.yaml`:
- Around line 48-49: The csi-smb-controller deployment has insecure security
defaults with hostNetwork set to true on line 48 and privileged set to true on
line 171. These high-risk settings should not be enabled by default. Change
hostNetwork and privileged to false (or configurable via .Values) to follow the
principle of least privilege, and add securityContext with
allowPrivilegeEscalation: false to prevent privilege escalation. Make these
restrictive settings the default, allowing users to opt-in to elevated
privileges only when explicitly needed.

In
`@charts/v1.20.1/csi-driver-smb/templates/csi-smb-node-windows-hostprocess.yaml`:
- Around line 52-56: The initContainer command hardcodes the kubelet path as
C:\\var\\lib\\kubelet in the New-Item PowerShell command, but the smb container
uses {{ .Values.windows.kubelet }} for its CSI_ENDPOINT, creating inconsistency
when users customize the kubelet path. Replace the hardcoded
C:\\var\\lib\\kubelet path in the New-Item -Path parameter with {{
.Values.windows.kubelet }} to ensure the directory is created at the correct
location matching the CSI_ENDPOINT configuration.
- Around line 74-80: The environment variables DRIVER_REG_SOCK_PATH and
PLUGIN_REG_DIR contain hardcoded kubelet paths (C:\\var\\lib\\kubelet) that are
inconsistent with the templated value used in CSI_ENDPOINT ({{
.Values.windows.kubelet }}). Replace the hardcoded C:\\var\\lib\\kubelet
prefixes in both DRIVER_REG_SOCK_PATH and PLUGIN_REG_DIR with the same {{
.Values.windows.kubelet }} template variable used in CSI_ENDPOINT, ensuring that
all kubelet path references remain consistent and respond to customization
through the values configuration.

In `@charts/v1.20.1/csi-driver-smb/values.yaml`:
- Around line 112-113: The tolerations configuration in the values.yaml file
uses operator "Exists" in the Linux toleration block, which is a wildcard that
tolerates all taints and can inadvertently schedule the workload on
resource-constrained arbiter nodes. Instead of using the broad operator "Exists"
toleration, specify explicit taint keys and values that the workload should
tolerate, ensuring that arbiter-related taints are not included in the
toleration list. This will restrict pod placement to appropriate nodes only and
prevent scheduling conflicts with topology constraints.

In `@deploy/v1.20.1/csi-smb-controller.yaml`:
- Around line 17-19: The csi-smb-controller deployment currently has hostNetwork
set to true, which creates unnecessary security risks. Remove the hostNetwork:
true configuration from the pod spec in the csi-smb-controller-deployment (and
other affected deployments at lines 63-90 and 135-139). Additionally, add
securityContext with allowPrivilegeEscalation: false to all non-privileged
container specifications within the controller pod to follow security hardening
guidelines. Ensure that privileged containers are only used when absolutely
necessary and document why they require elevated privileges.

In `@deploy/v1.20.1/csi-smb-node-windows-hostprocess.yaml`:
- Around line 28-35: The securityContext configuration in the
csi-smb-node-windows-hostprocess.yaml file specifies a high-privilege runtime
profile with hostProcess set to true, runAsUserName set to NT AUTHORITY\SYSTEM,
and hostNetwork set to true, but provides no explicit justification or
compensating controls. Add clear inline comments or documentation explaining the
security rationale for this exception and implement compensating controls such
as namespace constraints, RBAC policies, or pod security policy restrictions
either directly in the manifest or in adjacent release documentation to justify
and constrain this high-privilege configuration.
- Around line 43-95: Add livenessProbe and readinessProbe sections to both the
node-driver-registrar and smb containers in the DaemonSet spec. For each
container, define appropriate health checks that validate the process is healthy
and responding. Use probes suitable for Windows HostProcess containers, such as
HTTPGet probes pointing to the registration socket endpoint for
node-driver-registrar and the CSI endpoint for the smb container, with
reasonable initial delay, timeout, and period values. Ensure both containers
have consistent probe configurations following the health-check pattern used in
sibling node manifests.

In `@deploy/v1.20.1/csi-smb-node.yaml`:
- Around line 48-51: The securityContext for the liveness-probe and
node-driver-registrar containers in the CSI SMB node manifest is incomplete. Add
the explicit security hardening directive allowPrivilegeEscalation: false to
both containers' securityContext blocks (in addition to the existing
capabilities drop configuration). This applies to both the liveness-probe and
node-driver-registrar sidecars to fully comply with the security baseline
requirements.
- Around line 29-30: The tolerations section currently uses a wildcard
toleration with operator: "Exists" which tolerates all taints and can
inadvertently schedule the CSI SMB node DaemonSet onto arbiter nodes or
resource-constrained nodes. Replace this broad toleration with specific
tolerations that target only the intended node types by specifying the exact key
and effect combinations (such as specific node-role taints) rather than using
the wildcard Exists operator. This ensures the DaemonSet only schedules on
appropriate worker nodes and avoids restricted or special-purpose nodes.

In `@deploy/v1.20.1/rbac-csi-smb.yaml`:
- Around line 40-42: The RBAC rule granting cluster-wide secret read permissions
violates least privilege principles. Instead of allowing the "get" verb on all
"secrets" resources across all namespaces, scope secret access to only what is
necessary. Either restrict access to specific namespaces by adding a namespace
field, limit to specific secret names by adding a resourceNames field, or remove
secret access entirely if the service accounts do not actually require it. Apply
the same least privilege scoping fix to all similar rules referenced in the
range 91-111 where the same broad cluster-scoped secret access pattern appears.

In `@go.mod`:
- Line 95: The go.mod file currently specifies OpenTelemetry packages at
v1.40.0, which contain two HIGH severity vulnerabilities. Locate all
go.opentelemetry.io/otel/* package entries in go.mod and upgrade them to v1.43.0
or later to address both security issues (GHSA-mh2q-q3fh-2475 and
GHSA-hfvc-g4fc-pqhx). At minimum, upgrade to v1.41.0 if v1.43.0 is not feasible,
though v1.43.0 is recommended as it fixes both vulnerabilities. Use go get to
update these dependencies or manually edit the version constraints in go.mod to
reflect the new version across all OpenTelemetry packages.

In `@pkg/smb/controllerserver.go`:
- Around line 501-506: The path validation added for CreateVolume inputs (using
validatePath for vol.source and vol.subDir) does not apply to volumeID-derived
paths used in DeleteVolume and copyFromVolume operations. Add equivalent
validation inside the getSmbVolFromID function to validate the source, subDir,
and uuid components parsed from the volumeID before they are used by callers.
Apply the same validatePath checks to reject traversal segments (like ../) in
volumeID components at the trust boundary, ensuring getInternalMountPath and
getInternalVolumePath only receive validated paths regardless of their origin.

---

Minor comments:
In @.github/workflows/ubuntu-e2e.yml:
- Line 11: The ubuntu-e2e.yml workflow is disabled with the `if: false`
condition. Either remove this workflow file entirely if it is not currently
needed for the project, or if it is intended for future use, replace the `if:
false` condition with a descriptive comment explaining why the workflow is
disabled and the expected timeline for when it will be re-enabled.

In `@charts/v1.20.1/csi-driver-smb/templates/NOTES.txt`:
- Line 5: The kubectl command in the NOTES.txt file uses an incorrect label
selector. The selector `app.kubernetes.io/name={{ .Release.Name }}` does not
match the actual pod labels in this chart, as `app.kubernetes.io/name` is set to
the chart name, not the release name. Replace the label selector in the kubectl
watch command to use the correct label key that actually matches the release
instance, such as using `app.kubernetes.io/instance` with the release name
value, so the command will correctly watch pods deployed for this specific
release.

In `@deploy/v1.20.1/csi-smb-node-windows.yaml`:
- Around line 46-50: Add CPU limits to the resource limits specification for all
three containers in the manifest. For each container's resources.limits section
(appearing at lines 46-50, 78-82, and 131-135), add a cpu field with an
appropriate limit value alongside the existing memory limit. This ensures
compliance with the resource policy requirement that every container must have
both cpu and memory limits defined.

---

Nitpick comments:
In `@charts/v1.20.1/csi-driver-smb/templates/csi-proxy-windows.yaml`:
- Around line 40-48: The csi-proxy container in the csi-proxy-windows.yaml
template is missing resource limits and security context configurations that are
present in other containers throughout the chart. Add a resources section that
references values from .Values.windows.csiproxy for CPU and memory limits and
requests, and add a securityContext section that drops all capabilities to
maintain consistency with the security posture of other templates in this chart.
This will also require adding a corresponding resources configuration block
under .Values.windows.csiproxy in the values.yaml file.

In `@docs/install-csi-driver-v1.20.1.md`:
- Around line 26-31: The markdown code fence starting at line 26 is missing a
language identifier after the opening triple backticks. Add a language
specification (such as `text` or `console`) immediately after the opening triple
backticks of the code fence that displays the kubectl output example. This will
ensure compliance with markdown linting standards and improve readability of the
documentation.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

Comment thread .github/workflows/codespell.yml Outdated
Comment thread .github/workflows/pluto.yaml Outdated
Comment thread .github/workflows/ubuntu-e2e.yml Outdated
Comment thread .golangci.yml
Comment thread .golangci.yml
Comment thread charts/v1.20.1/csi-driver-smb/templates/csi-proxy-windows.yaml
Comment thread go.mod

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy/v1.20.1/csi-smb-node-windows.yaml`:
- Around line 31-55: The liveness-probe, node-driver-registrar, and third
container in the Windows node deployment are missing the
allowPrivilegeEscalation security context setting. For each of these three
containers, add allowPrivilegeEscalation: false to their existing
securityContext field (where the capabilities.drop.ALL is currently defined).
This should be added at the same level as the capabilities field within
securityContext to explicitly prevent privilege escalation on all Windows node
containers.

In `@deploy/v1.20.1/csi-smb-node.yaml`:
- Around line 48-51: The securityContext configuration in the CSI SMB node
manifest is missing the allowPrivilegeEscalation: false setting for the
non-privileged sidecars. Add allowPrivilegeEscalation: false to the
securityContext blocks in both the liveness-probe and node-driver-registrar
containers (at lines 48-51 and 74-77) to ensure these sidecars cannot escalate
privileges, reducing the attack surface as per Kubernetes security best
practices.
- Around line 29-31: The tolerations section in the csi-smb-node.yaml DaemonSet
uses a wildcard `operator: "Exists"` which tolerates all taints on all nodes,
potentially causing the pod to be scheduled on unintended nodes like TNA arbiter
nodes. Replace this overly permissive wildcard toleration with specific
tolerations that explicitly target only the taints this DaemonSet should
tolerate, specifying both the key and the taint value to restrict scheduling to
appropriate nodes.
- Around line 20-21: Add an inline comment to the hostNetwork: true setting
explaining that it is required for bidirectional mount propagation in CSI
operations, and ensure there is a similar comment documenting the necessity of
privileged: true in the securityContext (for mount operations). Review the
tolerations section in the spec and narrow them from operator: Exists (which
tolerates all taints) to only the specific required taints for the SMB node
driver. Verify the container image reference uses registry.k8s.io as the
official source and document the security exception rationale either through
inline comments or by adding an annotation explaining the compensating controls
and why this configuration is necessary.

In `@docs/install-csi-driver-v1.20.1.md`:
- Line 7: The curl command disables TLS verification with the -k flag and pipes
directly to bash, which is a security risk. Remove the -k flag from the curl
command and replace the direct pipe-to-shell pattern with a two-step
download-then-run approach where you first download the install-driver.sh script
to a temporary location, verify it if needed, and then execute it. Apply this
same fix to both occurrences of this pattern in the file (line 7 and line 36).
- Around line 26-31: The fenced code block containing the kubectl output showing
the CSI SMB pod status is missing a language identifier. Add a language
specifier (either `text` or `console`) immediately after the opening triple
backticks on the fenced code block to satisfy markdown linting requirements and
maintain consistent rendering throughout the documentation.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 38a417fb-484c-4e40-baf1-804d39087e53

📥 Commits

Reviewing files that changed from the base of the PR and between 0f4ba3f and dd00a2e.

⛔ Files ignored due to path filters (193)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/go-cmp/cmp/cmpopts/sort.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/go-cmp/cmp/internal/function/func.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/go-cmp/cmp/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/attr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/resource.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/scope.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/limit.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/tracer_provider.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/.clomonitor.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/rawhelpers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/get_main_pkgs.sh is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/internal/attribute/attribute.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/internal/gen.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/instruments.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/internal_logging.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/internal/rawhelpers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/asyncint64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/instrument.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/meter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/noop/noop.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/syncfloat64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/metric/syncint64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/renovate.json is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/requirements.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/instrumentation/library.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/instrumentation/scope.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/internal/x/x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/auto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id_bsd.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os_release_darwin.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os_release_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/evictedqueue.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/env/env.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/sampler_env.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/snapshot.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/span_limits.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/internal/http.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.26.0/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.26.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.26.0/metric.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/error_type.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/exception.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/otelconv/metric.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/schema.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/number.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/resource.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/scope.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/noop/noop.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/provider.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/tracer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/verify_examples.sh is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/verify_readmes.sh is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/verify_released_changelog.sh is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_x86.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (44)
  • .golangci.yml
  • Makefile
  • README.md
  • charts/README.md
  • charts/index.yaml
  • charts/latest/csi-driver-smb-1.20.0.tgz
  • charts/latest/csi-driver-smb-1.20.1.tgz
  • charts/latest/csi-driver-smb/Chart.yaml
  • charts/latest/csi-driver-smb/values.yaml
  • charts/v1.20.1/csi-driver-smb-1.20.1.tgz
  • charts/v1.20.1/csi-driver-smb/Chart.yaml
  • charts/v1.20.1/csi-driver-smb/templates/NOTES.txt
  • charts/v1.20.1/csi-driver-smb/templates/_helpers.tpl
  • charts/v1.20.1/csi-driver-smb/templates/csi-proxy-windows.yaml
  • charts/v1.20.1/csi-driver-smb/templates/csi-smb-controller.yaml
  • charts/v1.20.1/csi-driver-smb/templates/csi-smb-driver.yaml
  • charts/v1.20.1/csi-driver-smb/templates/csi-smb-node-windows-hostprocess.yaml
  • charts/v1.20.1/csi-driver-smb/templates/csi-smb-node-windows.yaml
  • charts/v1.20.1/csi-driver-smb/templates/csi-smb-node.yaml
  • charts/v1.20.1/csi-driver-smb/templates/rbac-csi-smb.yaml
  • charts/v1.20.1/csi-driver-smb/templates/storageclass.yaml
  • charts/v1.20.1/csi-driver-smb/values.yaml
  • deploy/csi-smb-controller.yaml
  • deploy/csi-smb-node-windows-hostprocess.yaml
  • deploy/csi-smb-node-windows.yaml
  • deploy/csi-smb-node.yaml
  • deploy/v1.20.1/csi-smb-controller.yaml
  • deploy/v1.20.1/csi-smb-driver.yaml
  • deploy/v1.20.1/csi-smb-node-windows-hostprocess.yaml
  • deploy/v1.20.1/csi-smb-node-windows.yaml
  • deploy/v1.20.1/csi-smb-node.yaml
  • deploy/v1.20.1/rbac-csi-smb.yaml
  • docs/install-csi-driver-v1.20.1.md
  • docs/install-smb-csi-driver.md
  • go.mod
  • hack/verify-helm-chart-index.sh
  • pkg/mounter/safe_mounter_host_process_windows.go
  • pkg/smb/controllerserver.go
  • pkg/smb/controllerserver_test.go
  • pkg/smb/nodeserver.go
  • pkg/smb/nodeserver_test.go
  • pkg/smb/smb.go
  • pkg/smb/smb_test.go
  • release-tools/prow.sh
✅ Files skipped from review due to trivial changes (9)
  • charts/v1.20.1/csi-driver-smb/templates/NOTES.txt
  • charts/README.md
  • README.md
  • docs/install-smb-csi-driver.md
  • Makefile
  • deploy/csi-smb-controller.yaml
  • deploy/csi-smb-node-windows.yaml
  • deploy/csi-smb-node.yaml
  • deploy/v1.20.1/csi-smb-driver.yaml
🚧 Files skipped from review as they are similar to previous changes (16)
  • pkg/mounter/safe_mounter_host_process_windows.go
  • hack/verify-helm-chart-index.sh
  • pkg/smb/nodeserver.go
  • pkg/smb/controllerserver.go
  • charts/v1.20.1/csi-driver-smb/Chart.yaml
  • pkg/smb/nodeserver_test.go
  • charts/v1.20.1/csi-driver-smb/templates/_helpers.tpl
  • .golangci.yml
  • deploy/csi-smb-node-windows-hostprocess.yaml
  • charts/latest/csi-driver-smb/Chart.yaml
  • release-tools/prow.sh
  • charts/index.yaml
  • charts/v1.20.1/csi-driver-smb/values.yaml
  • charts/latest/csi-driver-smb/values.yaml
  • pkg/smb/smb.go
  • pkg/smb/controllerserver_test.go

Comment thread deploy/v1.20.1/csi-smb-node-windows.yaml
Comment thread deploy/v1.20.1/csi-smb-node.yaml
Comment thread deploy/v1.20.1/csi-smb-node.yaml
Comment thread deploy/v1.20.1/csi-smb-node.yaml
Comment thread docs/install-csi-driver-v1.20.1.md
Comment thread docs/install-csi-driver-v1.20.1.md
@dfajmon dfajmon marked this pull request as ready for review June 17, 2026 13:47
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 17, 2026
@openshift-ci openshift-ci Bot requested review from RomanBednar and mpatlasov June 17, 2026 13:48
dfajmon and others added 2 commits June 17, 2026 15:55
Update github.com/moby/spdystream from v0.5.0 to v0.5.1 to address
CVE-2026-35469 (Denial of Service via SPDY streaming code).

This CVE affects kubelet, CRI-O, and kube-apiserver SPDY streaming code
used for attach, exec, and port forwarding. The fix patches a DOS vulnerability
in the SPDY streaming implementation.

Upstream PR: kubernetes-csi#1103

Related: OCPBUGS-84460
Signed-off-by: Jaspreet Kaur <jkaur@redhat.com>
@openshift-ci

openshift-ci Bot commented Jun 17, 2026

Copy link
Copy Markdown

@dfajmon: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants