-
Notifications
You must be signed in to change notification settings - Fork 575
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Support CSI fsGroupPolicy #2131
Comments
From the Kubernetes' code perspective, it looks like everything should work fine. There are 3 cases we need to consider:
Case#1 and Case#3 should work because when Case#2 should also work because when |
@khushboo-rancher already verified that Case#1 and Case#3 working as expected. |
Validated the longhorn basic functionality with v1.20, It looks good. As mentioned in the #2131 (comment) Longhorn is validated with the below cases.
Running the integration test on the case#2, will update the result. Update: Integration test looks good on the set up of a k3s v1.20 with |
@PhanLe1010 the fuzzer you linked to is code used only for testing, as recognized by the fact of the usage of random here :) So in the case where the feature gate is enabled and the driver object exists as well as not having defined a Do we define |
Thank you for pointing out the mistake in the coded link. Yeah, it is testing code. The default values are filled here instead https://github.com/kubernetes/kubernetes/blob/af46c47ce925f4c4ad5cc8d1fca46c7b77d13b38/pkg/apis/storage/v1/defaults.go#L56. So it is not possible that
No, we don't define. We actually cannot define it since we are using client-go v1.16 and it doesn't have the field |
Analysis1. Running pod as non-root user and the problemIt is good practice to run pod as a non-root user to prevent bugs or malicious code from taking over the system. An example of a pod that runs as non-root user could be:
The above YAML file tells Kubernetes to run every process of every container inside the pod with user ID 1000 and primary group ID 3000. So far so good, processes are not running as root. However, there is a problem here. If the volume 2.
|
Thanks, @PhanLe1010 , it's a well-written explanation. I also feel that we should put this either into our documentation or KB. After that, I will leave it for QA to verify the result, then we can close it. |
FYI: During the team meeting, we decide that we should write a KB article for the issue. |
Hey Folks, I'm running into this problem and it seems as though something needs to be set in the csidriver. Even with the securityContext defined in the pod I'm still getting the I've got this defined in spec.securityContext
|
@carpenike Which Kubernetes distro (e.g. RKE/K3s/EKS/OpenShift) and version are you using? Also, which Longhorn version? |
@PhanLe1010 -- Kubeadm deployed on top of Ubuntu. Longhorn 1.1.0.
|
Yup! They're ubuntu nodes so it's just an apt update process. Kubelet restarts on each node and reports in to the control-plane with the updated version. |
Should I just remove the driver and re-create it? |
@carpenike Yes, the workaround is just simple as that. You can also just delete the pod However, is it possible that you can hold on a second? We would like to learn about how to reproduce the issue. It would be great if you can help us. |
Sure no problem. :) |
Thanks. What is your upgrade order?
|
Generally the first one. |
Ok, that explains why Longhorn is saying that your Kubernetes version is v1.19.8 in the CSI Drive CR. Since at the time the |
Can you try the workaround to see if the CSI Driver CR is updated with the new K8s version and has the field
|
Done. It seems like longhorn is caching the k8s version?
|
CSIDriver looks the same too:
|
No, it fetches the info from the Kube API Server https://github.com/longhorn/longhorn-manager/blob/bb8a72669a61e36ab70d25651b9c8f67c5c7fb2b/csi/deployment_util.go#L158 Hmm |
Can you try:
and
|
Figured it out -- the k8s kubelets had upgraded to 1.20.4 but the underlying API and services had not. Ran through the kubeadm upgrade process and now things are starting up as expected. Deleted the longhorn-driver and it's re-deploying everything. https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/ This would likely not have been encountered with a fresh 1.20.x cluster. |
…inish mounting` longhorn/longhorn#2131 Signed-off-by: Phan Le <phan.le@rancher.com>
…inish mounting` longhorn/longhorn#2131 Signed-off-by: Phan Le <phan.le@rancher.com>
…inish mounting` longhorn/longhorn#2131 Signed-off-by: Phan Le <phan.le@rancher.com>
Pre-merged Checklist
|
…inish mounting` longhorn/longhorn#2131 Signed-off-by: Phan Le <phan.le@rancher.com>
…inish mounting` longhorn/longhorn#2131 Signed-off-by: Phan Le <phan.le@rancher.com>
Verified the scenarios from #2131 (comment), all the explanations hold good. Validations - Pass
|
https://kubernetes.io/blog/2020/12/14/kubernetes-release-1.20-fsgroupchangepolicy-fsgrouppolicy/
Ref:
#1221
#1842 (comment)
Note: Manual test plan is required because:
Applicable Kubernetes version: v1.20+
The text was updated successfully, but these errors were encountered: