New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUILD-277: Fix fsGroup handling #19
Conversation
/retitle BUILD-277: Fix fsGroup handling |
looks like a we need an update bindata @jsafrane the unit test is a known port conflict / concurrent test thing with metrics /test test |
By default, CSIDriver.fsGroupPolicy is ReadWriteOnceWithFSType, which is a legacy heuristics used to detect shared filesystems. This heuristics does not work for ephemeral CSI volumes, therefore turn it off and always apply pod.spec.securityContext.fsGroup to all files provided by the CSI driver. As result, files are readable (and writable) by the pod processes.
This CSI driver does not implement ControllerPublish CSI call. The call is not used in Ephemeral volumes, still, explicit is better than implicit.
Fixed. In the meantime we migrated the other operators to go embed and we don't need to regenerate anything. See openshift/aws-ebs-csi-driver-operator#131. You're welcome to follow suit ;-) |
thanks for the pointer .... I'll open an issue to track .... @coreydaley FYI |
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gabemontero, jsafrane The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
By default,
CSIDriver.fsGroupPolicy
isReadWriteOnceWithFSType
, which is a legacy heuristics used to detect shared filesystems, where we don't wantfsGroup
to be applied.. This heuristics does not work for ephemeral CSI volumes, therefore turn it off and always applypod.spec.securityContext.fsGroup
to all files provided by the CSI driver.As result, files are readable (and writable) by the pod processes.
From:
To:
(Where
pod.spec.securityContext.fsGroup = 1000590000
)Also add
attachRequired: false
to make it explicit that this CSI driver does not implement ControllerPublish call. It is not used in ephemeral volumes, still, it was quite surprising when I sawattachRequired: true
there, as defaulted by the API server.