New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cephfs: dont set explicit permissions on the volume #2847
Conversation
00db59d
to
3456746
Compare
@Mergifyio rebase |
✅ Branch has been successfully rebased |
3456746
to
2fa4642
Compare
2fa4642
to
2301987
Compare
Again ? @nixpanic @Rakshith-R https://jenkins-ceph-csi.apps.ocp.ci.centos.org/blue/organizations/jenkins/k8s-e2e-external-storage-1.21/detail/k8s-e2e-external-storage-1.21/2658/pipeline
|
2301987
to
c7dd4c6
Compare
/retest ci/centos/mini-e2e-helm/k8s-1.22 |
/retest ci/centos/upgrade-tests-rbd |
Cool.. Tests are passing after rebase.. so please discard the previous comment :) @nixpanic @Rakshith-R ptal.. thanks ! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure how this will affect already created volumes/ new volumes and about FSGroups, I'll let others review this pr.
@nixpanic ptal.. thanks. |
c7dd4c6
to
e86e474
Compare
/retest ci/centos/upgrade-tests-cephfs |
|
@Mergifyio refresh |
✅ Pull request refreshed |
At present we are node staging with worldwide permissions which is not correct. We should allow the CO to take care of it and make the decision. This commit also remove `fuseMountOptions` and `KernelMountOptions` as they are no longer needed Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
e86e474
to
b79209a
Compare
``` ReadWriteOnceWithFSType: Indicates that volumes will be examined to determine if volume ownership and permissions should be modified to match the pod's security policy. Changes will only occur if the fsType is defined and the persistent volume's accessModes contains ReadWriteOnce. ``` In between considering we are giving 0777 permission on nodestage of cephfs shares, we defaulted to NONE. However giving worldwide permission to the volume is not the right thing and it has been fixed in cephfs via ceph/ceph-csi#2847 This commit brings it back to the value which is also in parity with RBD driver. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
``` ReadWriteOnceWithFSType: Indicates that volumes will be examined to determine if volume ownership and permissions should be modified to match the pod's security policy. Changes will only occur if the fsType is defined and the persistent volume's accessModes contains ReadWriteOnce. ``` In between considering we are giving 0777 permission on nodestage of cephfs shares, we defaulted to NONE. However giving worldwide permission to the volume is not the right thing and it has been fixed in cephfs via ceph/ceph-csi#2847 This commit brings it back to the value which is also in parity with RBD driver. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
Expected to be addressed with #2880 |
``` ReadWriteOnceWithFSType: Indicates that volumes will be examined to determine if volume ownership and permissions should be modified to match the pod's security policy. Changes will only occur if the fsType is defined and the persistent volume's accessModes contains ReadWriteOnce. ``` In between considering we are giving 0777 permission on nodestage of cephfs shares, we defaulted to NONE. However giving worldwide permission to the volume is not the right thing and it has been fixed in cephfs via ceph/ceph-csi#2847 This commit brings it back to the value which is also in parity with RBD driver. Signed-off-by: Humble Chirammal <hchiramm@redhat.com> (cherry picked from commit 6561bda)
``` ReadWriteOnceWithFSType: Indicates that volumes will be examined to determine if volume ownership and permissions should be modified to match the pod's security policy. Changes will only occur if the fsType is defined and the persistent volume's accessModes contains ReadWriteOnce. ``` In between considering we are giving 0777 permission on nodestage of cephfs shares, we defaulted to NONE. However giving worldwide permission to the volume is not the right thing and it has been fixed in cephfs via ceph/ceph-csi#2847 This commit brings it back to the value which is also in parity with RBD driver. Signed-off-by: Humble Chirammal <hchiramm@redhat.com> (cherry picked from commit 6561bda) (cherry picked from commit e324059)
At present we are node staging with worldwide permissions which is
not correct. We should allow the CO to take care of it and make
the decision
Considering we have set to worldwide permission, we are defaulting to
fsgroup = None
for CephFS atm, once this is in, we can change toFSGroupChangePolicy
toReadWriteOnceWithFSTpe
for CephFS too.Fixes #2356
Signed-off-by: Humble Chirammal hchiramm@redhat.com