diff --git a/ezdown b/ezdown
index 8e61d64..a7ad3b6 100755
--- a/ezdown
+++ b/ezdown
@@ -13,14 +13,14 @@ set -o pipefail
 #set -o xtrace
 
 # default settings, can be overridden by cmd line options, see usage
-DOCKER_VER=25.0.3
+DOCKER_VER=26.1.3
 KUBEASZ_VER=3.6.3
-K8S_BIN_VER=v1.29.2
+K8S_BIN_VER=v1.30.1
 # https://github.com/easzlab/dockerfile-kubeasz-ext-bin
-EXT_BIN_VER=1.10.0
+EXT_BIN_VER=1.10.1
 # https://github.com/easzlab/dockerfile-kubeasz-sys-pkg
-SYS_PKG_VER=1.0.0
-HARBOR_VER=v2.8.4
+SYS_PKG_VER=1.0.1
+HARBOR_VER=v2.10.2
 REGISTRY_MIRROR=CN
 
 # images downloaded by default(with 'ezdown -D')
@@ -29,11 +29,11 @@ calicoVer=v3.26.4
 # https://github.com/coredns/coredns
 corednsVer=1.11.1
 # https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/
-dnsNodeCacheVer=1.22.23
+dnsNodeCacheVer=1.22.28
 dashboardVer=v2.7.0
 dashboardMetricsScraperVer=v1.0.8
 # https://github.com/kubernetes-sigs/metrics-server
-metricsVer=v0.6.4
+metricsVer=v0.7.1
 pauseVer=3.9
 
 # images not downloaded by default(only download  with 'ezdown -X ***')
@@ -46,7 +46,7 @@ kubeRouterVer=v1.5.4
 # https://github.com/kubeovn/kube-ovn
 kubeOvnVer=v1.11.5
 # https://github.com/rancher/local-path-provisioner
-localpathProvisionerVer=v0.0.24
+localpathProvisionerVer=v0.0.26
 # https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner
 nfsProvisionerVer=v4.0.2
 #https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
diff --git a/roles/cluster-addon/templates/local-storage/local-path-storage.yaml.j2 b/roles/cluster-addon/templates/local-storage/local-path-storage.yaml.j2
index 917720b..c9f4334 100644
--- a/roles/cluster-addon/templates/local-storage/local-path-storage.yaml.j2
+++ b/roles/cluster-addon/templates/local-storage/local-path-storage.yaml.j2
@@ -5,24 +5,50 @@ metadata:
   name: local-path-provisioner-service-account
   namespace: kube-system
 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: local-path-provisioner-role
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: local-path-provisioner-role
 rules:
-  - apiGroups: [ "" ]
-    resources: [ "nodes", "persistentvolumeclaims", "configmaps" ]
-    verbs: [ "get", "list", "watch" ]
-  - apiGroups: [ "" ]
-    resources: [ "endpoints", "persistentvolumes", "pods" ]
-    verbs: [ "*" ]
-  - apiGroups: [ "" ]
-    resources: [ "events" ]
-    verbs: [ "create", "patch" ]
-  - apiGroups: [ "storage.k8s.io" ]
-    resources: [ "storageclasses" ]
-    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [""]
+    resources: ["nodes", "persistentvolumeclaims", "configmaps", "pods", "pods/log"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: local-path-provisioner-bind
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: local-path-provisioner-role
+subjects:
+  - kind: ServiceAccount
+    name: local-path-provisioner-service-account
+    namespace: kube-system
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -117,9 +143,12 @@ data:
     metadata:
       name: helper-pod
     spec:
+      priorityClassName: system-node-critical
+      tolerations:
+        - key: node.kubernetes.io/disk-pressure
+          operator: Exists
+          effect: NoSchedule
       containers:
       - name: helper-pod
         image: easzlab.io.local:5000/rancher/local-path-provisioner:{{ local_path_provisioner_ver }}
         imagePullPolicy: IfNotPresent
-
-
diff --git a/roles/cluster-addon/templates/metrics-server/components.yaml.j2 b/roles/cluster-addon/templates/metrics-server/components.yaml.j2
index cfc6984..9151c9a 100644
--- a/roles/cluster-addon/templates/metrics-server/components.yaml.j2
+++ b/roles/cluster-addon/templates/metrics-server/components.yaml.j2
@@ -133,7 +133,7 @@ spec:
       containers:
       - args:
         - --cert-dir=/tmp
-        - --secure-port=4443
+        - --secure-port=10250
         - --kubelet-insecure-tls
         - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
         - --kubelet-use-node-status-port
@@ -150,7 +150,7 @@ spec:
           periodSeconds: 10
         name: metrics-server
         ports:
-        - containerPort: 4443
+        - containerPort: 10250
           name: https
           protocol: TCP
         readinessProbe:
@@ -167,9 +167,14 @@ spec:
             memory: 200Mi
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /tmp
           name: tmp-dir