From 070c69ef20067ff0158c774c32bee5359be5d716 Mon Sep 17 00:00:00 2001 From: Mike Fedosin Date: Wed, 17 Jun 2020 14:11:34 +0200 Subject: [PATCH] Allow to set custom permissions for the mounted folder For RWX volume, kubelet does not perform recursive ownership/permission change. The heuristics that kubelet uses is being modified via - https://github.com/kubernetes/enhancements/issues/1682 Having said that, for RWX volumes which are made available via NFS protocol, using fsGroup is not recommended because if there are 2 pods that are trying to use same volume but with different fsGroup then one pod may lock out the other pod. To avoid this, we must be able to set the folder permissions to 777. This commit adds a cli option --mount-permissions, that allows to define custom permissions. If the value is not specified, then default permissions will be kept. Cherry-picked from: https://github.com/kubernetes-csi/csi-driver-nfs/pull/36 --- cmd/nfsplugin/main.go | 18 +++++++++++++++++- pkg/nfs/nfs.go | 5 ++++- pkg/nfs/nodeserver.go | 6 ++++++ 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/cmd/nfsplugin/main.go b/cmd/nfsplugin/main.go index f757df0b0..d1e86fe41 100644 --- a/cmd/nfsplugin/main.go +++ b/cmd/nfsplugin/main.go @@ -20,6 +20,7 @@ import ( "flag" "fmt" "os" + "strconv" "github.com/spf13/cobra" @@ -29,6 +30,7 @@ import ( var ( endpoint string nodeID string + perm string ) func init() { @@ -55,6 +57,8 @@ func main() { cmd.PersistentFlags().StringVar(&endpoint, "endpoint", "", "CSI endpoint") cmd.MarkPersistentFlagRequired("endpoint") + cmd.PersistentFlags().StringVar(&perm, "mount-permissions", "", "mounted folder permissions") + cmd.ParseFlags(os.Args[1:]) if err := cmd.Execute(); err != nil { fmt.Fprintf(os.Stderr, "%s", err.Error()) @@ -65,6 +69,18 @@ func main() { } func handle() { - d := nfs.NewNFSdriver(nodeID, endpoint) + // Converting string permission representation to *uint32 + var parsedPerm *uint32 + if perm != "" { + permu64, err := strconv.ParseUint(perm, 8, 32) + if err != nil { + fmt.Fprintf(os.Stderr, "Incorrect mount-permissions value: %q", perm) + os.Exit(1) + } + permu32 := uint32(permu64) + parsedPerm = &permu32 + } + + d := nfs.NewNFSdriver(nodeID, endpoint, parsedPerm) d.Run() } diff --git a/pkg/nfs/nfs.go b/pkg/nfs/nfs.go index 728132c17..bde90bdde 100644 --- a/pkg/nfs/nfs.go +++ b/pkg/nfs/nfs.go @@ -29,6 +29,8 @@ type nfsDriver struct { endpoint string + perm *uint32 + //ids *identityServer ns *nodeServer cap map[csi.VolumeCapability_AccessMode_Mode]bool @@ -43,7 +45,7 @@ var ( version = "2.0.0" ) -func NewNFSdriver(nodeID, endpoint string) *nfsDriver { +func NewNFSdriver(nodeID, endpoint string, perm *uint32) *nfsDriver { glog.Infof("Driver: %v version: %v", driverName, version) n := &nfsDriver{ @@ -52,6 +54,7 @@ func NewNFSdriver(nodeID, endpoint string) *nfsDriver { nodeID: nodeID, endpoint: endpoint, cap: map[csi.VolumeCapability_AccessMode_Mode]bool{}, + perm: perm, } vcam := []csi.VolumeCapability_AccessMode_Mode{ diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go index 439d3c8bc..5360f6fac 100644 --- a/pkg/nfs/nodeserver.go +++ b/pkg/nfs/nodeserver.go @@ -73,6 +73,12 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis return nil, status.Error(codes.Internal, err.Error()) } + if ns.Driver.perm != nil { + if err := os.Chmod(targetPath, os.FileMode(*ns.Driver.perm)); err != nil { + return nil, status.Error(codes.Internal, err.Error()) + } + } + return &csi.NodePublishVolumeResponse{}, nil }