diff --git a/.github/workflows/pluto.yaml b/.github/workflows/pluto.yaml new file mode 100644 index 00000000..57bc7a5a --- /dev/null +++ b/.github/workflows/pluto.yaml @@ -0,0 +1,26 @@ +name: k8s api version check +on: + pull_request: {} + push: {} + +jobs: + + build: + name: Build + runs-on: ubuntu-latest + steps: + + - name: Checkout + uses: actions/checkout@v2 + + # https://pluto.docs.fairwinds.com/advanced/#display-options + - name: Download pluto + uses: FairwindsOps/pluto/github-action@master + + - name: Check deploy folder + run: | + pluto detect-files -d deploy + + - name: Check example folder + run: | + pluto detect-files -d deploy/example diff --git a/Dockerfile b/Dockerfile index 04ca3c23..f9f5590a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,6 +23,6 @@ COPY bin/${ARCH}/nfsplugin /nfsplugin RUN apt update && apt-mark unhold libcap2 RUN clean-install ca-certificates mount nfs-common netbase # install updated packages to fix CVE issues -RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 +RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libgmp10 ENTRYPOINT ["/nfsplugin"] diff --git a/charts/README.md b/charts/README.md index f7d22d30..21416c5c 100644 --- a/charts/README.md +++ b/charts/README.md @@ -38,6 +38,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv | Parameter | Description | Default | |---------------------------------------------------|------------------------------------------------------------|-------------------------------------------------------------------| | `driver.name` | alternative driver name | `nfs.csi.k8s.io` | +| `driver.mountPermissions` | mounted folder permissions name | `0777` | `feature.enableFSGroupPolicy` | enable `fsGroupPolicy` on a k8s 1.20+ cluster | `false` | | `image.nfs.repository` | csi-driver-nfs docker image | `gcr.io/k8s-staging-sig-storage/nfsplugin` | | `image.nfs.tag` | csi-driver-nfs docker image tag | `amd64-linux-canary` | @@ -70,6 +71,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv | `controller.resources.nfs.limits.memory` | csi-driver-nfs memory limits | 200Mi | | `controller.resources.nfs.requests.cpu` | csi-driver-nfs cpu requests limits | 10m | | `controller.resources.nfs.requests.memory` | csi-driver-nfs memory requests limits | 20Mi | +| `node.name` | driver node daemonset name | `csi-nfs-node` | `node.maxUnavailable` | `maxUnavailable` value of driver node daemonset | `1` | `node.logLevel` | node driver log level |`5` | | `node.livenessProbe.healthPort ` | the health check port for liveness probe |`29653` | diff --git a/charts/latest/csi-driver-nfs-v3.1.0.tgz b/charts/latest/csi-driver-nfs-v3.1.0.tgz index 9ac82022..504e516b 100644 Binary files a/charts/latest/csi-driver-nfs-v3.1.0.tgz and b/charts/latest/csi-driver-nfs-v3.1.0.tgz differ diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml index f0f932bc..b449d2c0 100644 --- a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml +++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml @@ -72,6 +72,7 @@ spec: - "--nodeid=$(NODE_ID)" - "--endpoint=$(CSI_ENDPOINT)" - "--drivername={{ .Values.driver.name }}" + - "--mount-permissions={{ .Values.driver.mountPermissions }}" env: - name: NODE_ID valueFrom: diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml index 3cb29d0f..03135e53 100644 --- a/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml +++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml @@ -84,6 +84,7 @@ spec: - "--nodeid=$(NODE_ID)" - "--endpoint=$(CSI_ENDPOINT)" - "--drivername={{ .Values.driver.name }}" + - "--mount-permissions={{ .Values.driver.mountPermissions }}" env: - name: NODE_ID valueFrom: diff --git a/charts/latest/csi-driver-nfs/values.yaml b/charts/latest/csi-driver-nfs/values.yaml index de9e1334..42a2fa25 100755 --- a/charts/latest/csi-driver-nfs/values.yaml +++ b/charts/latest/csi-driver-nfs/values.yaml @@ -24,6 +24,13 @@ rbac: create: true name: nfs +driver: + name: nfs.csi.k8s.io + mountPermissions: "0777" + +feature: + enableFSGroupPolicy: false + controller: name: csi-nfs-controller replicas: 2 @@ -92,12 +99,6 @@ node: cpu: 10m memory: 20Mi -feature: - enableFSGroupPolicy: false - -driver: - name: nfs.csi.k8s.io - ## Reference to one or more secrets to be used when pulling images ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## diff --git a/cmd/nfsplugin/main.go b/cmd/nfsplugin/main.go index 876ca842..ddc48a66 100644 --- a/cmd/nfsplugin/main.go +++ b/cmd/nfsplugin/main.go @@ -30,7 +30,7 @@ import ( var ( endpoint = flag.String("endpoint", "unix://tmp/csi.sock", "CSI endpoint") nodeID = flag.String("nodeid", "", "node id") - perm = flag.String("mount-permissions", "", "mounted folder permissions") + perm = flag.String("mount-permissions", "0777", "mounted folder permissions") driverName = flag.String("drivername", nfs.DefaultDriverName, "name of the driver") ) diff --git a/hack/verify-helm-chart-files.sh b/hack/verify-helm-chart-files.sh index 13e2af8f..1930627c 100755 --- a/hack/verify-helm-chart-files.sh +++ b/hack/verify-helm-chart-files.sh @@ -50,6 +50,6 @@ echo "chart tgz files verified." echo "verify helm chart index ..." curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash -helm repo add csi-driver-smb https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts +helm repo add csi-driver-nfs https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts helm search repo -l csi-driver-nfs echo "helm chart index verified." diff --git a/pkg/nfs/controllerserver.go b/pkg/nfs/controllerserver.go index 63a05e23..3478f1b8 100644 --- a/pkg/nfs/controllerserver.go +++ b/pkg/nfs/controllerserver.go @@ -98,14 +98,17 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol } }() + fileMode := os.FileMode(0777) + if cs.Driver.perm != nil { + fileMode = os.FileMode(*cs.Driver.perm) + } // Create subdirectory under base-dir - // TODO: revisit permissions internalVolumePath := cs.getInternalVolumePath(nfsVol) - if err = os.Mkdir(internalVolumePath, 0777); err != nil && !os.IsExist(err) { + if err = os.Mkdir(internalVolumePath, fileMode); err != nil && !os.IsExist(err) { return nil, status.Errorf(codes.Internal, "failed to make subdirectory: %v", err.Error()) } // Reset directory permissions because of umask problems - if err = os.Chmod(internalVolumePath, 0777); err != nil { + if err = os.Chmod(internalVolumePath, fileMode); err != nil { klog.Warningf("failed to chmod subdirectory: %v", err.Error()) } return &csi.CreateVolumeResponse{Volume: cs.nfsVolToCSI(nfsVol)}, nil diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go index 4324a204..68834ac7 100644 --- a/pkg/nfs/nodeserver.go +++ b/pkg/nfs/nodeserver.go @@ -87,6 +87,7 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis } if ns.Driver.perm != nil { + klog.V(2).Infof("volumeID(%v): mount targetPath(%s) with permissions(%o)", volumeID, targetPath, *ns.Driver.perm) if err := os.Chmod(targetPath, os.FileMode(*ns.Driver.perm)); err != nil { return nil, status.Error(codes.Internal, err.Error()) } diff --git a/test/external-e2e/run.sh b/test/external-e2e/run.sh index b08df4c7..d5d0f537 100644 --- a/test/external-e2e/run.sh +++ b/test/external-e2e/run.sh @@ -26,11 +26,11 @@ install_ginkgo () { setup_e2e_binaries() { # download k8s external e2e binary - curl -sL https://storage.googleapis.com/kubernetes-release/release/v1.21.0/kubernetes-test-linux-amd64.tar.gz --output e2e-tests.tar.gz + curl -sL https://storage.googleapis.com/kubernetes-release/release/v1.23.0/kubernetes-test-linux-amd64.tar.gz --output e2e-tests.tar.gz tar -xvf e2e-tests.tar.gz && rm e2e-tests.tar.gz # enable fsGroupPolicy (only available from k8s 1.20) - export EXTRA_HELM_OPTIONS="--set feature.enableFSGroupPolicy=true --set driver.name=$DRIVER.csi.k8s.io --set controller.name=csi-$DRIVER-controller --set node.name=csi-$DRIVER-node --set image.csiProvisioner.tag=v3.0.0" + export EXTRA_HELM_OPTIONS="--set feature.enableFSGroupPolicy=true --set driver.name=$DRIVER.csi.k8s.io --set controller.name=csi-$DRIVER-controller --set node.name=csi-$DRIVER-node --set image.csiProvisioner.tag=v3.0.0 --set driver.mountPermissions=0777" # test on alternative driver name sed -i "s/nfs.csi.k8s.io/$DRIVER.csi.k8s.io/g" deploy/example/storageclass-nfs.yaml