Merge pull request #388 from andyzhangx/mountpermissions-fix

fix: default mountPermissions issue

charts/README.md

@@ -38,7 +38,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv
 |---------------------------------------------------|------------------------------------------------------------|-------------------------------------------------------------------|
 | `customLabels`                                    | optional extra labels to k8s resources deployed by chart   | `{}`                                                              |
 | `driver.name`                                     | alternative driver name                                    | `nfs.csi.k8s.io` |
-| `driver.mountPermissions`                         | mounted folder permissions name                            | `0777`
+| `driver.mountPermissions`                         | default mounted folder permissions                             | `0`
 | `feature.enableFSGroupPolicy`                     | enable `fsGroupPolicy` on a k8s 1.20+ cluster              | `true`                      |
 | `feature.enableInlineVolume`                      | enable inline volume                     | `false`                      |
 | `kubeletDir`                                      | alternative kubelet directory                              | `/var/lib/kubelet`                                                  |

charts/latest/csi-driver-nfs/values.yaml

@@ -27,7 +27,7 @@ rbac:
 
 driver:
   name: nfs.csi.k8s.io
-  mountPermissions: 0777
+  mountPermissions: 0
 
 feature:
   enableFSGroupPolicy: true

cmd/nfsplugin/main.go

@@ -28,7 +28,7 @@ import (
 var (
 	endpoint         = flag.String("endpoint", "unix://tmp/csi.sock", "CSI endpoint")
 	nodeID           = flag.String("nodeid", "", "node id")
-	mountPermissions = flag.Uint64("mount-permissions", 0777, "mounted folder permissions")
+	mountPermissions = flag.Uint64("mount-permissions", 0, "mounted folder permissions")
 	driverName       = flag.String("drivername", nfs.DefaultDriverName, "name of the driver")
 	workingMountDir  = flag.String("working-mount-dir", "/tmp", "working directory for provisioner to mount nfs shares temporarily")
 )

docs/driver-parameters.md

@@ -9,7 +9,7 @@ Name | Meaning | Example Value | Mandatory | Default value
 server | NFS Server address | domain name `nfs-server.default.svc.cluster.local` <br>or IP address `127.0.0.1` | Yes |
 share | NFS share path | `/` | Yes |
 subDir | sub directory under nfs share |  | No | if sub directory does not exist, this driver would create a new one
-mountPermissions | mounted folder permissions. The default is `0777`, if set as `0`, driver will not perform `chmod` after mount |  | No |
+mountPermissions | mounted folder permissions. The default is `0`, if set as non-zero, driver will perform `chmod` after mount |  | No |
 
 ### PV/PVC usage (static provisioning)
 > [`PersistentVolume` example](../deploy/example/pv-nfs-csi.yaml)
@@ -18,7 +18,7 @@ Name | Meaning | Example Value | Mandatory | Default value
 --- | --- | --- | --- | ---
 volumeAttributes.server | NFS Server address | domain name `nfs-server.default.svc.cluster.local` <br>or IP address `127.0.0.1` | Yes |
 volumeAttributes.share | NFS share path | `/` |  Yes  |
-volumeAttributes.mountPermissions | mounted folder permissions. The default is `0777` |  | No |
+volumeAttributes.mountPermissions | mounted folder permissions. The default is `0`, if set as non-zero, driver will perform `chmod` after mount |  | No |
 
 ### Tips
 #### `subDir` parameter supports following pv/pvc metadata conversion

pkg/nfs/controllerserver.go

@@ -130,16 +130,18 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol
 		}
 	}()
 
-	fileMode := os.FileMode(mountPermissions)
 	// Create subdirectory under base-dir
 	internalVolumePath := getInternalVolumePath(cs.Driver.workingMountDir, nfsVol)
-	if err = os.Mkdir(internalVolumePath, fileMode); err != nil && !os.IsExist(err) {
+	if err = os.Mkdir(internalVolumePath, 0777); err != nil && !os.IsExist(err) {
 		return nil, status.Errorf(codes.Internal, "failed to make subdirectory: %v", err.Error())
 	}
+
+	if mountPermissions > 0 {
 		// Reset directory permissions because of umask problems
-	if err = os.Chmod(internalVolumePath, fileMode); err != nil {
+		if err = os.Chmod(internalVolumePath, os.FileMode(mountPermissions)); err != nil {
 			klog.Warningf("failed to chmod subdirectory: %v", err.Error())
 		}
+	}
 
 	setKeyValueInMap(parameters, paramSubDir, nfsVol.subDir)
 	return &csi.CreateVolumeResponse{

pkg/nfs/nodeserver.go

@@ -60,7 +60,6 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 	subDirReplaceMap := map[string]string{}
 
 	mountPermissions := ns.Driver.mountPermissions
-	performChmodOp := (mountPermissions > 0)
 	for k, v := range req.GetVolumeContext() {
 		switch strings.ToLower(k) {
 		case paramServer:
@@ -82,15 +81,9 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 		case mountPermissionsField:
 			if v != "" {
 				var err error
-				var perm uint64
+				if mountPermissions, err = strconv.ParseUint(v, 8, 32); err != nil {
-				if perm, err = strconv.ParseUint(v, 8, 32); err != nil {
 					return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("invalid mountPermissions %s", v))
 				}
-				if perm == 0 {
-					performChmodOp = false
-				} else {
-					mountPermissions = perm
-				}
 			}
 		}
 	}
@@ -138,7 +131,7 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 		return nil, status.Error(codes.Internal, err.Error())
 	}
 
-	if performChmodOp {
+	if mountPermissions > 0 {
 		if err := chmodIfPermissionMismatch(targetPath, os.FileMode(mountPermissions)); err != nil {
 			return nil, status.Error(codes.Internal, err.Error())
 		}