Skip to content

Commit f6d1d3f

Browse files
venkatscvenkatsc
authored
Use who am i and other improvements (#98)
* Update test cluster to k8s v1.32.0 * Update Quobyte go api to v1.4.0 * Improve shared volume access permissions Shared volume(s) is/are supposed to be accessed by all the pods for creation and deletion of pvc inside it. Therefore, should have open access (1777), and each pvc is created with (700). These default permissions ensure access to shared volume and limited access to PVC inside it. These shared volume permissions only apply, if user does not create shared volume by themselves (and do not change permissions via client). For, PVC that is created inside shared volume, the default permissions can be overridden by storage class "accessMode:". However, it is advised to set sticky bit and user:group (1xx0) permissions only and leave out others permissions (set to 0). * Resolve user/group from API ..get user/group from the current user using Quobyte API * Add shared volume user/group to node image * Mount host users and groups into container * Mount host user/groups into client * Add sticky bit clarification * update local test config * Update shared volume example * Update helm test snapshot * Update storage class examples .. and add comment about optional user/group.
1 parent 2ec66e1 commit f6d1d3f

31 files changed

+396
-110
lines changed

Diff for: csi-driver-templates/templates/pods/containers/_quobyte_csi_controller_container.tpl

+8-2
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,8 @@
99
securityContext:
1010
privileged: true
1111
capabilities:
12-
add: ["SYS_ADMIN"]
13-
allowPrivilegeEscalation: true
12+
# For shared volume PVCs, ownership change is required
13+
add: ["SYS_ADMIN", "CHOWN"]
1414
image: {{ .Values.quobyte.dev.csiImage }}
1515
imagePullPolicy: "IfNotPresent"
1616
args:
@@ -53,4 +53,10 @@
5353
- name: certs
5454
mountPath: /etc/ssl/certs/
5555
{{- end }}
56+
- name: users
57+
mountPath: /etc/passwd
58+
mountPropagation: "HostToContainer"
59+
- name: groups
60+
mountPath: /etc/group
61+
mountPropagation: "HostToContainer"
5662
{{- end }}

Diff for: csi-driver-templates/templates/pods/containers/_quobyte_csi_node_driver_container.tpl

+6
Original file line numberDiff line numberDiff line change
@@ -56,4 +56,10 @@
5656
- name: certs
5757
mountPath: /etc/ssl/certs/
5858
{{- end }}
59+
- name: users
60+
mountPath: /etc/passwd
61+
mountPropagation: "HostToContainer"
62+
- name: groups
63+
mountPath: /etc/group
64+
mountPropagation: "HostToContainer"
5965
{{- end}}

Diff for: csi-driver-templates/templates/pods/volumes/_quobyte_csi_controller_volume_attachments.tpl

+8
Original file line numberDiff line numberDiff line change
@@ -17,4 +17,12 @@ volumes:
1717
path: /etc/ssl/certs/
1818
type: Directory
1919
{{- end }}
20+
- name: users
21+
hostPath:
22+
path: /etc/passwd
23+
type: File
24+
- name: groups
25+
hostPath:
26+
path: /etc/group
27+
type: File
2028
{{- end }}

Diff for: csi-driver-templates/templates/pods/volumes/_quobyte_csi_node_plugin_volume_attachments.tpl

+8
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,12 @@ volumes:
2828
path: /etc/ssl/certs/
2929
type: Directory
3030
{{- end }}
31+
- name: users
32+
hostPath:
33+
path: /etc/passwd
34+
type: File
35+
- name: groups
36+
hostPath:
37+
path: /etc/group
38+
type: File
3139
{{- end }}

Diff for: csi-driver-templates/tests/__snapshot__/csi_driver_test.yaml.snap

+87-3
Original file line numberDiff line numberDiff line change
@@ -396,10 +396,10 @@ should render when resource limits are provided:
396396
cpu: 50m
397397
memory: 50Mi
398398
securityContext:
399-
allowPrivilegeEscalation: true
400399
capabilities:
401400
add:
402401
- SYS_ADMIN
402+
- CHOWN
403403
privileged: true
404404
volumeMounts:
405405
- mountPath: /var/lib/csi/sockets/pluginproxy/
@@ -411,6 +411,12 @@ should render when resource limits are provided:
411411
name: quobyte-mounts
412412
- mountPath: /etc/ssl/certs/
413413
name: certs
414+
- mountPath: /etc/passwd
415+
mountPropagation: HostToContainer
416+
name: users
417+
- mountPath: /etc/group
418+
mountPropagation: HostToContainer
419+
name: groups
414420
priorityClassName: system-cluster-critical
415421
serviceAccount: quobyte-csi-controller-sa-csi-quobyte-com
416422
volumes:
@@ -428,6 +434,14 @@ should render when resource limits are provided:
428434
path: /etc/ssl/certs/
429435
type: Directory
430436
name: certs
437+
- hostPath:
438+
path: /etc/passwd
439+
type: File
440+
name: users
441+
- hostPath:
442+
path: /etc/group
443+
type: File
444+
name: groups
431445
12: |
432446
apiVersion: v1
433447
kind: ServiceAccount
@@ -573,6 +587,12 @@ should render when resource limits are provided:
573587
name: log-dir
574588
- mountPath: /etc/ssl/certs/
575589
name: certs
590+
- mountPath: /etc/passwd
591+
mountPropagation: HostToContainer
592+
name: users
593+
- mountPath: /etc/group
594+
mountPropagation: HostToContainer
595+
name: groups
576596
- args:
577597
- --node_name=$(KUBE_NODE_NAME)
578598
- --driver_name=csi.quobyte.com
@@ -633,6 +653,14 @@ should render when resource limits are provided:
633653
path: /etc/ssl/certs/
634654
type: Directory
635655
name: certs
656+
- hostPath:
657+
path: /etc/passwd
658+
type: File
659+
name: users
660+
- hostPath:
661+
path: /etc/group
662+
type: File
663+
name: groups
636664
16: |
637665
apiVersion: v1
638666
kind: ServiceAccount
@@ -1022,10 +1050,10 @@ should render when tolerations are provided:
10221050
imagePullPolicy: IfNotPresent
10231051
name: quobyte-csi-driver
10241052
securityContext:
1025-
allowPrivilegeEscalation: true
10261053
capabilities:
10271054
add:
10281055
- SYS_ADMIN
1056+
- CHOWN
10291057
privileged: true
10301058
volumeMounts:
10311059
- mountPath: /var/lib/csi/sockets/pluginproxy/
@@ -1037,6 +1065,12 @@ should render when tolerations are provided:
10371065
name: quobyte-mounts
10381066
- mountPath: /etc/ssl/certs/
10391067
name: certs
1068+
- mountPath: /etc/passwd
1069+
mountPropagation: HostToContainer
1070+
name: users
1071+
- mountPath: /etc/group
1072+
mountPropagation: HostToContainer
1073+
name: groups
10401074
priorityClassName: system-cluster-critical
10411075
serviceAccount: quobyte-csi-controller-sa-csi-quobyte-com
10421076
tolerations:
@@ -1058,6 +1092,14 @@ should render when tolerations are provided:
10581092
path: /etc/ssl/certs/
10591093
type: Directory
10601094
name: certs
1095+
- hostPath:
1096+
path: /etc/passwd
1097+
type: File
1098+
name: users
1099+
- hostPath:
1100+
path: /etc/group
1101+
type: File
1102+
name: groups
10611103
10: |
10621104
apiVersion: v1
10631105
kind: ServiceAccount
@@ -1195,6 +1237,12 @@ should render when tolerations are provided:
11951237
name: log-dir
11961238
- mountPath: /etc/ssl/certs/
11971239
name: certs
1240+
- mountPath: /etc/passwd
1241+
mountPropagation: HostToContainer
1242+
name: users
1243+
- mountPath: /etc/group
1244+
mountPropagation: HostToContainer
1245+
name: groups
11981246
- args:
11991247
- --node_name=$(KUBE_NODE_NAME)
12001248
- --driver_name=csi.quobyte.com
@@ -1255,6 +1303,14 @@ should render when tolerations are provided:
12551303
path: /etc/ssl/certs/
12561304
type: Directory
12571305
name: certs
1306+
- hostPath:
1307+
path: /etc/passwd
1308+
type: File
1309+
name: users
1310+
- hostPath:
1311+
path: /etc/group
1312+
type: File
1313+
name: groups
12581314
14: |
12591315
apiVersion: v1
12601316
kind: ServiceAccount
@@ -1644,10 +1700,10 @@ should render with default values:
16441700
imagePullPolicy: IfNotPresent
16451701
name: quobyte-csi-driver
16461702
securityContext:
1647-
allowPrivilegeEscalation: true
16481703
capabilities:
16491704
add:
16501705
- SYS_ADMIN
1706+
- CHOWN
16511707
privileged: true
16521708
volumeMounts:
16531709
- mountPath: /var/lib/csi/sockets/pluginproxy/
@@ -1659,6 +1715,12 @@ should render with default values:
16591715
name: quobyte-mounts
16601716
- mountPath: /etc/ssl/certs/
16611717
name: certs
1718+
- mountPath: /etc/passwd
1719+
mountPropagation: HostToContainer
1720+
name: users
1721+
- mountPath: /etc/group
1722+
mountPropagation: HostToContainer
1723+
name: groups
16621724
priorityClassName: system-cluster-critical
16631725
serviceAccount: quobyte-csi-controller-sa-csi-quobyte-com
16641726
volumes:
@@ -1676,6 +1738,14 @@ should render with default values:
16761738
path: /etc/ssl/certs/
16771739
type: Directory
16781740
name: certs
1741+
- hostPath:
1742+
path: /etc/passwd
1743+
type: File
1744+
name: users
1745+
- hostPath:
1746+
path: /etc/group
1747+
type: File
1748+
name: groups
16791749
10: |
16801750
apiVersion: v1
16811751
kind: ServiceAccount
@@ -1813,6 +1883,12 @@ should render with default values:
18131883
name: log-dir
18141884
- mountPath: /etc/ssl/certs/
18151885
name: certs
1886+
- mountPath: /etc/passwd
1887+
mountPropagation: HostToContainer
1888+
name: users
1889+
- mountPath: /etc/group
1890+
mountPropagation: HostToContainer
1891+
name: groups
18161892
- args:
18171893
- --node_name=$(KUBE_NODE_NAME)
18181894
- --driver_name=csi.quobyte.com
@@ -1869,6 +1945,14 @@ should render with default values:
18691945
path: /etc/ssl/certs/
18701946
type: Directory
18711947
name: certs
1948+
- hostPath:
1949+
path: /etc/passwd
1950+
type: File
1951+
name: users
1952+
- hostPath:
1953+
path: /etc/group
1954+
type: File
1955+
name: groups
18721956
14: |
18731957
apiVersion: v1
18741958
kind: ServiceAccount

Diff for: example/Storage-class-shared-volume.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ parameters:
3636
# creates quota for the volume if set to true. The size of the Quota
3737
# is the storage requested in PVC. If false, creates volume without size limit.
3838
createQuota: "true"
39+
# user/group is optional - if not provided, user/group is retrieved from the Quobyte user
40+
# associated with the provisioner-secret provided above.
3941
user: root
4042
group: root
4143
accessMode: "777"

Diff for: example/StorageClass.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@ parameters:
3535
# creates quota for the volume if set to true. The size of the Quota
3636
# is the storage requested in PVC. If false, creates volume without size limit.
3737
createQuota: "true"
38+
# user/group is optional - if not provided, user/group is retrieved from the Quobyte user
39+
# associated with the provisioner-secret provided above.
3840
user: nginx
3941
group: nginx
4042
accessMode: "750"

Diff for: example/access_keys/storage-class-api-and-mount-secret.yaml

+3-1
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,9 @@ parameters:
1919
csi.storage.k8s.io/node-publish-secret-name: "quobyte-mount-secret"
2020
csi.storage.k8s.io/node-publish-secret-namespace: "quobyte"
2121
createQuota: "true"
22+
# user/group is optional - if not provided, user/group is retrieved from the Quobyte user
23+
# associated with the provisioner-secret provided above.
2224
user: root
2325
group: root
24-
accessMode: "777"
26+
accessMode: "750"
2527
reclaimPolicy: Delete

Diff for: example/access_keys/storage-class-generic-secret.yaml

+3-1
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,9 @@ parameters:
1919
csi.storage.k8s.io/node-publish-secret-name: "quobyte-generic-secret"
2020
csi.storage.k8s.io/node-publish-secret-namespace: "quobyte"
2121
createQuota: "true"
22+
# user/group is optional - if not provided, user/group is retrieved from the Quobyte user
23+
# associated with the provisioner-secret provided above.
2224
user: root
2325
group: root
24-
accessMode: "777"
26+
accessMode: "750"
2527
reclaimPolicy: Delete

Diff for: example/client.yaml

+15-1
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ spec:
2626
value: INFO
2727
- name: QUOBYTE_REGISTRY
2828
# Your Quobyte registry endpoint
29-
value: venkat.corp.quobyte.com:2169 # Example: hydrogen.quobyte.com:12354
29+
value: venkat.corp.quobyte.com:2776 # Example: hydrogen.quobyte.com:12354
3030
- name: QUOBYTE_MOUNT_POINT
3131
# Corresponding volume mount must be one directory below this path
3232
# Example volumeMount is : /home/quobyte and clientMountPoint is /home/quobyte/mounts
@@ -94,6 +94,12 @@ spec:
9494
- name: quobyte-mount
9595
mountPath: /home/quobyte
9696
mountPropagation: Bidirectional
97+
- name: users
98+
mountPath: /etc/passwd
99+
mountPropagation: HostToContainer
100+
- name: groups
101+
mountPath: /etc/group
102+
mountPropagation: HostToContainer
97103
- name: minidumps-dir
98104
mountPath: /tmp/minidumps
99105
lifecycle:
@@ -109,3 +115,11 @@ spec:
109115
- name: minidumps-dir
110116
hostPath:
111117
path: /var/lib/quobyte/.minidumps
118+
- name: users
119+
hostPath:
120+
path: /etc/passwd
121+
type: File
122+
- name: groups
123+
hostPath:
124+
path: /etc/group
125+
type: File

Diff for: kind-cluster/run_test

+6-1
Original file line numberDiff line numberDiff line change
@@ -64,10 +64,15 @@ echo "Running script from $(pwd)"
6464
echo "Creating kind k8s cluster Dockerfile * * * * * * * * * * * * * * * * * * * * * * * * * *"
6565
echo ""
6666
echo ""
67+
68+
# https://github.com/kubernetes-sigs/kind/releases
69+
# Install the latest kind binary from the releases on testing host
70+
# and update the kindest/node: image
6771
tee -a "${TEST_CLUSTER_DIR}"/Dockerfile <<END
68-
FROM kindest/node:v1.30.6@sha256:b6d08db72079ba5ae1f4a88a09025c0a904af3b52387643c285442afb05ab994
72+
FROM kindest/node:v1.32.0@sha256:c48c62eac5da28cdadcf560d1d8616cfa6783b58f0d94cf63ad1bf49600cb027
6973
RUN apt-get -y update
7074
RUN apt-get -y install wget && apt-get install -y git && apt install -y nano dnsutils
75+
RUN groupadd admin && useradd admin -g admin
7176
END
7277

7378
echo "Building new image using the above Dockerfile. On the local machine: * * *"

0 commit comments

Comments
 (0)