Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSI inline volumes should support fsGroup #108662

Merged
merged 1 commit into from
Mar 14, 2022
Merged

CSI inline volumes should support fsGroup #108662

merged 1 commit into from
Mar 14, 2022

Conversation

dobsonj
Copy link
Member

@dobsonj dobsonj commented Mar 11, 2022
edited
Loading

What type of PR is this?

/kind bug
/sig storage

What this PR does / why we need it:

Today, any volume without a PV spec is not able to apply fsGroup.
This policy is a bit too restrictive, as it means CSI Inline Volumes are
not accessible to non-root users. These volumes are always mounted
with RWO AccessMode and should be able to support fsGroup.

Which issue(s) this PR fixes:

Fixes #89290

Special notes for your reviewer:

/cc @gnufied @jsafrane @pohly @msau42

Simple test using the hostpath driver with a slightly modified examples/csi-app-inline.yaml:

root@ubuntu2110:/workspace/csi-driver-host-path# cat examples/csi-app-inline.yaml
kind: Pod
apiVersion: v1
metadata:
  name: my-csi-app-inline
spec:
  securityContext:
    fsGroup: 1000
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: topology.hostpath.csi/node
            operator: Exists
  containers:
    - name: my-frontend
      image: busybox
      volumeMounts:
      - mountPath: "/data"
        name: my-csi-volume
      command: [ "sleep", "1000000" ]
  volumes:
    - name: my-csi-volume
      csi:
        driver: hostpath.csi.k8s.io
        fsType: ext4
root@ubuntu2110:/workspace/csi-driver-host-path# kubectl apply -f examples/csi-app-inline.yaml
pod/my-csi-app-inline created
root@ubuntu2110:/workspace/csi-driver-host-path# grep SetupAt /tmp/kubelet.log
I0311 23:03:24.821360 3190213 csi_mounter.go:291] kubernetes.io/csi: mounter.SetupAt fsGroup [1000] applied successfully to csi-531e4596b9ce78763a7e2ab028e238d4b1f5b3e81a4561c04d0a94d9daf530ea
root@ubuntu2110:/workspace/csi-driver-host-path# kubectl exec -it pod/my-csi-app-inline -- /bin/sh
/ # touch /data/test
/ # ls -la /data
total 8
drwxrwsr-x    2 root     1000          4096 Mar 11 23:04 .
drwxr-xr-x    1 root     root          4096 Mar 11 23:03 ..
-rw-r--r--    1 root     1000             0 Mar 11 23:04 test

And with runAsGroup / runAsUser included in the SecurityContext:

root@ubuntu2110:/workspace/csi-driver-host-path# head examples/csi-app-inline.yaml
kind: Pod
apiVersion: v1
metadata:
  name: my-csi-app-inline
spec:
  securityContext:
    fsGroup: 1000
    runAsGroup: 1000
    runAsUser: 1000
  affinity:
root@ubuntu2110:/workspace/csi-driver-host-path# kubectl apply -f examples/csi-app-inline.yaml
pod/my-csi-app-inline created
root@ubuntu2110:/workspace/csi-driver-host-path# kubectl exec -it pod/my-csi-app-inline -- /bin/sh
/ $ touch /data/test
/ $ ls -l /data
total 0
-rw-r--r--    1 1000     1000             0 Mar 12 00:09 test
/ $ id
uid=1000 gid=1000 groups=1000

Does this PR introduce a user-facing change?

Fix to allow fsGroup to be applied for CSI Inline Volumes

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot requested a review from gnufied March 11, 2022 23:52
@k8s-ci-robot k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Mar 11, 2022
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. sig/storage Categorizes an issue or PR as relevant to SIG Storage. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Mar 11, 2022
@dobsonj
Copy link
Member Author

dobsonj commented Mar 11, 2022

/triage accepted
/priority important-soon

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Mar 11, 2022
@dobsonj
Copy link
Member Author

dobsonj commented Mar 14, 2022

/retest

@jsafrane
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 14, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dobsonj, jsafrane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 14, 2022
@gnufied
Copy link
Member

gnufied commented Mar 14, 2022

btw does this happens even if CSIDriver had an explicit policy defined?

@jsafrane
Copy link
Member

Yes, it's at the beginning of supportsFSGroup().

@k8s-ci-robot k8s-ci-robot merged commit 9642a1f into kubernetes:master Mar 14, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.24 milestone Mar 14, 2022
@github-actions github-actions bot mentioned this pull request Mar 22, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gnufied gnufied Awaiting requested review from gnufied

@jsafrane jsafrane Awaiting requested review from jsafrane

@msau42 msau42 Awaiting requested review from msau42

@pohly pohly Awaiting requested review from pohly

Assignees

@jsafrane jsafrane

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/storage Categorizes an issue or PR as relevant to SIG Storage. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.24
Development

Successfully merging this pull request may close these issues.

CSI inline volumes should support fsGroup
4 participants
@dobsonj @jsafrane @k8s-ci-robot @gnufied