Allow to set custom permissions for the mounted folder

For RWX volume, kubelet does not perform recursive ownership/permission
change. The heuristics that kubelet uses is being modified via -
kubernetes/enhancements#1682

Having said that, for RWX volumes which are made available via NFS
protocol, using fsGroup is not recommended because if there are 2 pods
that are trying to use same volume but with different fsGroup then one
pod may lock out the other pod.

To avoid this, we must be able to set the folder permissions to 777.
This commit adds a cli option --mount-permissions, that allows to
define custom permissions. If the value is not specified, then default
permissions will be kept.

Cherry-picked from: kubernetes-csi#36

cmd/nfsplugin/main.go

@@ -20,6 +20,7 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"strconv"
 
 	"github.com/spf13/cobra"
 
@@ -29,6 +30,7 @@ import (
 var (
 	endpoint string
 	nodeID   string
+	perm     string
 )
 
 func init() {
@@ -55,6 +57,8 @@ func main() {
 	cmd.PersistentFlags().StringVar(&endpoint, "endpoint", "", "CSI endpoint")
 	cmd.MarkPersistentFlagRequired("endpoint")
 
+	cmd.PersistentFlags().StringVar(&perm, "mount-permissions", "", "mounted folder permissions")
+
 	cmd.ParseFlags(os.Args[1:])
 	if err := cmd.Execute(); err != nil {
 		fmt.Fprintf(os.Stderr, "%s", err.Error())
@@ -65,6 +69,18 @@ func main() {
 }
 
 func handle() {
-	d := nfs.NewNFSdriver(nodeID, endpoint)
+	// Converting string permission representation to *uint32
+	var parsedPerm *uint32
+	if perm != "" {
+		permu64, err := strconv.ParseUint(perm, 8, 32)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Incorrect mount-permissions value: %q", perm)
+			os.Exit(1)
+		}
+		permu32 := uint32(permu64)
+		parsedPerm = &permu32
+	}
+
+	d := nfs.NewNFSdriver(nodeID, endpoint, parsedPerm)
 	d.Run()
 }

pkg/nfs/nfs.go

@@ -29,6 +29,8 @@ type nfsDriver struct {
 
 	endpoint string
 
+	perm *uint32
+
 	//ids *identityServer
 	ns    *nodeServer
 	cap   map[csi.VolumeCapability_AccessMode_Mode]bool
@@ -43,7 +45,7 @@ var (
 	version = "2.0.0"
 )
 
-func NewNFSdriver(nodeID, endpoint string) *nfsDriver {
+func NewNFSdriver(nodeID, endpoint string, perm *uint32) *nfsDriver {
 	glog.Infof("Driver: %v version: %v", driverName, version)
 
 	n := &nfsDriver{
@@ -52,6 +54,7 @@ func NewNFSdriver(nodeID, endpoint string) *nfsDriver {
 		nodeID:   nodeID,
 		endpoint: endpoint,
 		cap:      map[csi.VolumeCapability_AccessMode_Mode]bool{},
+		perm:     perm,
 	}
 
 	vcam := []csi.VolumeCapability_AccessMode_Mode{

pkg/nfs/nodeserver.go

@@ -73,6 +73,12 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 		return nil, status.Error(codes.Internal, err.Error())
 	}
 
+	if ns.Driver.perm != nil {
+		if err := os.Chmod(targetPath, os.FileMode(*ns.Driver.perm)); err != nil {
+			return nil, status.Error(codes.Internal, err.Error())
+		}
+	}
+
 	return &csi.NodePublishVolumeResponse{}, nil
 }