Merge pull request #755 from Ashley-wenyizha/CVEMitigation

Should not pass in mount option of awscredsuri
kubernetes-sigs · Aug 17, 2022 · 88e6a0e · 88e6a0e
2 parents 36859e7 + 019e772
commit 88e6a0e
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/examples/kubernetes/access_points/README.md b/examples/kubernetes/access_points/README.md
@@ -97,4 +97,6 @@ as this could subject you to
     if you configured your access point with `/ap1`, the above would mount to
     `/ap1/my/subpath`.
   - As with normal volume path, the `[Subpath]` must already exist prior to consuming
-    the volume from a pod.
+    the volume from a pod.
+
+- `awscredsuri` mount option is not supported through efs-csi-driver as it's designed and used by ECS tasks.
diff --git a/pkg/driver/node.go b/pkg/driver/node.go
@@ -78,7 +78,7 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 		switch strings.ToLower(k) {
 		//Deprecated
 		case "path":
-			klog.Warning("Use of path under volumeAttributes is depracated. This field will be removed in future release")
+			klog.Warning("Use of path under volumeAttributes is deprecated. This field will be removed in future release")
 			if !filepath.IsAbs(v) {
 				return nil, status.Errorf(codes.InvalidArgument, "Volume context property %q must be an absolute path", k)
 			}
@@ -165,6 +165,11 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 				}
 			}
 
+			if f == "awscredsuri" {
+				klog.Warning("awscredsuri mount option is not supported by efs-csi-driver.")
+				return nil, nil
+			}
+
 			if !hasOption(mountOptions, f) {
 				mountOptions = append(mountOptions, f)
 			}