New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUILD-381: require CSI Volumes using the Shared Resources driver to be specified as readOnly == true #84
BUILD-381: require CSI Volumes using the Shared Resources driver to be specified as readOnly == true #84
Conversation
by code review URL I mean https://github.com/openshift/csi-driver-shared-resource/pull/84/files?w=1 @coreydaley |
/assign @rolfedh for docs approve label |
/assign @prietyc123 for qe approved label |
/label px-approved |
or something similar for each commit if you want to break it up that way @coreydaley |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gabemontero The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
fyi it passed for me locally /retest |
/label docs-approved |
more aws pain /retest |
/label qe-approved |
docs/content-update-details.md
Outdated
in the system will have their content corresponding to those `Secrets` and `ConfigMaps`. | ||
|
||
So while the driver requires all volume references in the various `Pods` are read only, so that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we rephrase this one to be more understable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep part of next push
docs/csi.md
Outdated
- Also, mounting of one `SharedConfigMap` OR `SharedSecret` off of a subdirectory of another `SharedConfigMap` OR `SharedSecret` is only supported with read-write `Volumes`. | ||
- the `ReadOnly` field is required to be set to 'true'. This follows conventions introduced in upstream Kubernetes CSI Drivers to facilitate proper SELinux labelling. What occurs is that | ||
this driver will return a read-write linux file system to the kubelet, so that CRI-O can apply the correct SELinux labels on the file system (CRI-O would not be able to update the SELinux labels on a read only file system | ||
after it is created), but the kubelet still makes sure that the file system later exposed to the consuming (which sits on top of the file system returned by this repository's driver) is read only. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/consuming /consuming pod/
@@ -95,318 +95,282 @@ func TestCreateHostPathVolumeBadAccessType(t *testing.T) { | |||
} | |||
|
|||
func TestCreateDeleteConfigMap(t *testing.T) { | |||
readOnly := []bool{true, false} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in my attempt to change these tests, I was wondering if it wouldn't be interresting to keep this for loop with 2 attempts; so we are sure that a creation then a deletion then a re-creation works well.
That would change the for loop with an i++ counter instead, but that would keep the test valid and valuable; wdyt ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry no, I don't think such a permutation has value for any of these tests. The volume won't even be provisioned when the kubelet asks for it if readOnly is not set to true with these changes. That is the requirement we have had to establish, the pattern from upstream we are following, in order to get the SELinux labels correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have not just the one unit test which makes sure we fail the provision if readOnly is not set to true.
pkg/hostpath/hostpath.go
Outdated
@@ -50,6 +50,8 @@ type hostPath struct { | |||
ephemeral bool | |||
maxVolumesPerNode int64 | |||
|
|||
testSoNoMounter bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we mock/stub this interface instead of adding this parameter especially to a public method?
Also, by reading the tests comments, it seems that we will be needing to have sudo privilege to run the tests; which is a bit complex.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I took a short cut of not creating a mock mounter for unit tests.
I'll switch to creating a mock mounter and remove this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fyi k8s over at https://github.com/kubernetes/utils/tree/master/mount does not have a "fake" mounter
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and yes with all this we are "avoiding" the need for sudo priv's that are required to call the "real" mounter
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am glad to see that now we have something more elegant than k8s folks 😄
pkg/hostpath/hostpath.go
Outdated
klog.V(2).Infof("pruner: issue unmounting for volume %s mount id %s: %s", hpv.GetVolID(), hpv.GetVolPathAnchorDir(), err.Error()) | ||
} else { | ||
klog.V(2).Infof("pruner: successfully unmounted volume %s mount id %s", hpv.GetVolID(), hpv.GetVolPathAnchorDir()) | ||
if mounter != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so this is only needed when we are in unit tests?
The mounter here is only instantiated if we are in test mode. And so is the clean-up. I would suggest that we add this logic only in unit tests methods only.
err = mounter.Unmount(hpv.GetVolPathAnchorDir())
we only need a reference to the hpv
and we could create a mounter
in the unit test.
wdyt ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see my comment above ... I'll create a mock/test version of the mount interface
ok thanks for the review @akram I've either responded in comments or made change in a separate commit for this review from you.... PTAL ... I'll squash commits when we reach a steady state with your review |
That looks good now @gabemontero ! You can squash then, so I can lgtm that. |
56dcbef
to
6b51a3e
Compare
thanks @akram the akram-1 commit has been squashed into the code/doc/unit/e2e commits appropriately |
bump @prietyc123 for qe approved label the scenario here is to confirm that it the pod trying to mount the shared resource volume does not set the volumeAttribute |
/lgtm |
docs/content-update-details.md
Outdated
`SharedConfigMaps`. Then, when the actual `Secrets` or `ConfigMaps` referenced by those | ||
`SharedSecrets` and `SharedConfigMaps` change, each volume across all the active `Pods` | ||
in the system will have their content corresponding to those `Secrets` and `ConfigMaps`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in the system will have their content corresponding to those `Secrets` and `ConfigMaps`. | |
in the system will have their content corresponding to those `Secrets` and `ConfigMaps` updated. |
docs/content-update-details.md
Outdated
with the belief that if they want resource refreshing disabled, it should be disabled for everyone. | ||
|
||
For disabling at the volume specific level, the `volumeAttributes` field in should have an entry with the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For disabling at the volume specific level, the `volumeAttributes` field in should have an entry with the | |
For disabling at the volume specific level, the `volumeAttributes` field should have an entry with the |
docs/csi.md
Outdated
this driver will return a read-write linux file system to the kubelet, so that CRI-O can apply the correct SELinux labels on the file system (CRI-O would not be able to update the SELinux labels on a read only file system | ||
after it is created), but the kubelet still makes sure that the file system later exposed to the consuming pod (which sits on top of the file system returned by this repository's driver) is read only. | ||
If this driver allowed both read-only and read-write, there is in fact no way to provide differing support that still allows for correct SELinux labelling for each). | ||
- Also, mounting of one `SharedConfigMap` OR `SharedSecret` off of a subdirectory of another `SharedConfigMap` OR `SharedSecret` is *NOT* supported the driver only supports read-only `Volumes`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Also, mounting of one `SharedConfigMap` OR `SharedSecret` off of a subdirectory of another `SharedConfigMap` OR `SharedSecret` is *NOT* supported the driver only supports read-only `Volumes`. | |
- Also, mounting of one `SharedConfigMap` OR `SharedSecret` off of a subdirectory of another `SharedConfigMap` OR `SharedSecret` is *NOT* supported. The driver only supports read-only `Volumes`. |
pkg/hostpath/hostpath.go
Outdated
if hp.mounter != nil { | ||
err = hp.mounter.Unmount(hpv.GetVolPathAnchorDir()) | ||
if err != nil { | ||
klog.V(2).Infof("pruner: issue unmounting for volume %s mount id %s: %s", hpv.GetVolID(), hpv.GetVolPathAnchorDir(), err.Error()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that this should be a warning, not an info.
/hold |
6b51a3e
to
2120e56
Compare
updates made @coreydaley - went ahead and squashed to existing code/doc commits given degree of change /hold cancel |
/lgtm |
install pain no refresh e2e /retest |
@gabemontero: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Also fixed a doc update that was missed when I changed the controller watch to listen to the namespaces that are referenced by shares instead of listening to all namespaces but filter out some openshift system namespaces.
/assign @coreydaley
a lot of deleted code
I would also use
?w=1
at the end of the git URL used during code review in your browser to filter down white space differencesfor PR review
@akram FYI - yeah a fair amount of e2e reduction was needed since we can no longer support shares mounted off other shares since we require read only to be true