From 7029c9ab95ab60c402c6e89d861af6e758cf7a05 Mon Sep 17 00:00:00 2001 From: Sachin Prabhu Date: Thu, 8 Jun 2023 16:23:41 +0100 Subject: [PATCH] nfs: add support for `clients` in the StorageClass The clients parameter in the storage class is used to limit access to the export to the set of hostnames, networks or ip addresses specified. Signed-off-by: Sachin Prabhu --- e2e/nfs.go | 33 +++++++++++++++++++++++++++++++ examples/nfs/storageclass.yaml | 6 ++++++ internal/nfs/controller/volume.go | 5 +++++ 3 files changed, 44 insertions(+) diff --git a/e2e/nfs.go b/e2e/nfs.go index d06e06e4e82d..6d5e310d78e1 100644 --- a/e2e/nfs.go +++ b/e2e/nfs.go @@ -440,6 +440,39 @@ var _ = Describe("nfs", func() { } }) + By("create a storageclass with a restricted set of clients allowed to mount it. This is expected to fail", func() { + err := createNFSStorageClass(f.ClientSet, f, false, map[string]string{ + "clients": "192.168.49.29,192.168.132.30", + }) + if err != nil { + framework.Failf("failed to create NFS storageclass: %v", err) + } + err = validatePVCAndAppBinding(pvcPath, appPath, f) + if err == nil { + framework.Failf("Mount expected to fail but didn't: %v", err) + } + err = deleteResource(nfsExamplePath + "storageclass.yaml") + if err != nil { + framework.Failf("failed to delete NFS storageclass: %v", err) + } + }) + By("create a storageclass with a wide range of network address to encompass all clients.This is expected to pass", func() { + err := createNFSStorageClass(f.ClientSet, f, false, map[string]string{ + "clients": "0.0.0.0/0", + }) + if err != nil { + framework.Failf("failed to create NFS storageclass: %v", err) + } + err = validatePVCAndAppBinding(pvcPath, appPath, f) + if err != nil { + framework.Failf("NFS clients were not able to mount: %v", err) + } + err = deleteResource(nfsExamplePath + "storageclass.yaml") + if err != nil { + framework.Failf("failed to delete NFS storageclass: %v", err) + } + }) + By("create a PVC and bind it to an app", func() { err := createNFSStorageClass(f.ClientSet, f, false, nil) if err != nil { diff --git a/examples/nfs/storageclass.yaml b/examples/nfs/storageclass.yaml index 7bc21af15c64..c524fa5392c1 100644 --- a/examples/nfs/storageclass.yaml +++ b/examples/nfs/storageclass.yaml @@ -51,5 +51,11 @@ parameters: # This option is available with Ceph v17.2.6 and newer. # secTypes: + # (optional) The clients parameter in the storage class is used to limit + # access to the export to the set of hostnames, networks or ip addresses + # specified. The is a comma delimited string, + # for example: "192.168.0.10,192.168.1.0/8" + # clients: + reclaimPolicy: Delete allowVolumeExpansion: true diff --git a/internal/nfs/controller/volume.go b/internal/nfs/controller/volume.go index 2249f8c61706..271393d97706 100644 --- a/internal/nfs/controller/volume.go +++ b/internal/nfs/controller/volume.go @@ -132,6 +132,7 @@ func (nv *NFSVolume) CreateExport(backend *csi.Volume) error { nfsCluster := backend.VolumeContext["nfsCluster"] path := backend.VolumeContext["subvolumePath"] secTypes := backend.VolumeContext["secTypes"] + clients := backend.VolumeContext["clients"] err := nv.setNFSCluster(nfsCluster) if err != nil { @@ -157,6 +158,10 @@ func (nv *NFSVolume) CreateExport(backend *csi.Volume) error { } } + if clients != "" { + export.ClientAddr = strings.Split(clients, ",") + } + _, err = nfsa.CreateCephFSExport(export) switch { case err == nil: