nfs: add support for clients in the StorageClass

The clients parameter in the storage class is used to limit access to the export to the set of hostnames, networks or ip addresses specified. Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
ceph · Jun 16, 2023 · d03d3fe · d03d3fe
1 parent 37f1d72
commit d03d3fe
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 0 deletions.
diff --git a/e2e/nfs.go b/e2e/nfs.go
@@ -440,6 +440,39 @@ var _ = Describe("nfs", func() {
 				}
 			})
 
+			By("create a storageclass with a restricted set of clients allowed to mount it. This is expected to fail", func() {
+				err := createNFSStorageClass(f.ClientSet, f, false, map[string]string{
+					"clients": "192.168.49.29,192.168.132.30",
+				})
+				if err != nil {
+					framework.Failf("failed to create NFS storageclass: %v", err)
+				}
+				err = validatePVCAndAppBinding(pvcPath, appPath, f)
+				if err == nil {
+					framework.Failf("Mount expected to fail but didn't: %v", err)
+				}
+				err = deleteResource(nfsExamplePath + "storageclass.yaml")
+				if err != nil {
+					framework.Failf("failed to delete NFS storageclass: %v", err)
+				}
+			})
+			By("create a storageclass with a wide range of network address to encompass all clients.This is expected to pass", func() {
+				err := createNFSStorageClass(f.ClientSet, f, false, map[string]string{
+					"clients": "*",
+				})
+				if err != nil {
+					framework.Failf("failed to create NFS storageclass: %v", err)
+				}
+				err = validatePVCAndAppBinding(pvcPath, appPath, f)
+				if err != nil {
+					framework.Failf("NFS clients were not able to mount: %v", err)
+				}
+				err = deleteResource(nfsExamplePath + "storageclass.yaml")
+				if err != nil {
+					framework.Failf("failed to delete NFS storageclass: %v", err)
+				}
+			})
+
 			By("create a PVC and bind it to an app", func() {
 				err := createNFSStorageClass(f.ClientSet, f, false, nil)
 				if err != nil {

diff --git a/examples/nfs/storageclass.yaml b/examples/nfs/storageclass.yaml
@@ -51,5 +51,11 @@ parameters:
   # This option is available with Ceph v17.2.6 and newer.
   # secTypes: <sectype-list>
 
+  # (optional) The clients parameter in the storage class is used to limit
+  # access to the export to the set of hostnames, networks or ip addresses
+  # specified.  The <client-list> is a comma delimited string,
+  # for example: "192.168.0.10,192.168.1.0/8"
+  # clients: <client-list>
+
 reclaimPolicy: Delete
 allowVolumeExpansion: true
diff --git a/internal/nfs/controller/volume.go b/internal/nfs/controller/volume.go
@@ -132,6 +132,7 @@ func (nv *NFSVolume) CreateExport(backend *csi.Volume) error {
 	nfsCluster := backend.VolumeContext["nfsCluster"]
 	path := backend.VolumeContext["subvolumePath"]
 	secTypes := backend.VolumeContext["secTypes"]
+	clients := backend.VolumeContext["clients"]
 
 	err := nv.setNFSCluster(nfsCluster)
 	if err != nil {
@@ -157,6 +158,10 @@ func (nv *NFSVolume) CreateExport(backend *csi.Volume) error {
 		}
 	}
 
+	if clients != "" {
+		export.ClientAddr = strings.Split(clients, ",")
+	}
+
 	_, err = nfsa.CreateCephFSExport(export)
 	switch {
 	case err == nil: