BUILD-381: require CSI Volumes using the Shared Resources driver to be specified as readOnly == true #84
Conversation
|
by code review URL I mean https://github.com/openshift/csi-driver-shared-resource/pull/84/files?w=1 @coreydaley |
|
/assign @rolfedh for docs approve label |
|
/assign @prietyc123 for qe approved label |
|
/label px-approved |
openshift-ci
bot
added
the
px-approved
or something similar for each commit if you want to break it up that way @coreydaley |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gabemontero The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
fyi it passed for me locally /retest |
|
/label docs-approved |
openshift-ci
bot
added
the
docs-approved
|
more aws pain /retest |
|
/label qe-approved |
openshift-ci
bot
added
the
qe-approved
docs/content-update-details.md
Outdated
| in the system will have their content corresponding to those `Secrets` and `ConfigMaps`. | ||
|
|
||
| So while the driver requires all volume references in the various `Pods` are read only, so that |
There was a problem hiding this comment.
Can we rephrase this one to be more understable?
There was a problem hiding this comment.
yep part of next push
docs/csi.md
Outdated
| - Also, mounting of one `SharedConfigMap` OR `SharedSecret` off of a subdirectory of another `SharedConfigMap` OR `SharedSecret` is only supported with read-write `Volumes`. | ||
| - the `ReadOnly` field is required to be set to 'true'. This follows conventions introduced in upstream Kubernetes CSI Drivers to facilitate proper SELinux labelling. What occurs is that | ||
| this driver will return a read-write linux file system to the kubelet, so that CRI-O can apply the correct SELinux labels on the file system (CRI-O would not be able to update the SELinux labels on a read only file system | ||
| after it is created), but the kubelet still makes sure that the file system later exposed to the consuming (which sits on top of the file system returned by this repository's driver) is read only. |
| @@ -95,318 +95,282 @@ func TestCreateHostPathVolumeBadAccessType(t *testing.T) { | |||
| } | |||
|
|
|||
| func TestCreateDeleteConfigMap(t *testing.T) { | |||
| readOnly := []bool{true, false} | |||
There was a problem hiding this comment.
in my attempt to change these tests, I was wondering if it wouldn't be interresting to keep this for loop with 2 attempts; so we are sure that a creation then a deletion then a re-creation works well.
That would change the for loop with an i++ counter instead, but that would keep the test valid and valuable; wdyt ?
There was a problem hiding this comment.
Sorry no, I don't think such a permutation has value for any of these tests. The volume won't even be provisioned when the kubelet asks for it if readOnly is not set to true with these changes. That is the requirement we have had to establish, the pattern from upstream we are following, in order to get the SELinux labels correct.
There was a problem hiding this comment.
I have not just the one unit test which makes sure we fail the provision if readOnly is not set to true.
pkg/hostpath/hostpath.go
Outdated
| @@ -50,6 +50,8 @@ type hostPath struct { | |||
| ephemeral bool | |||
| maxVolumesPerNode int64 | |||
|
|
|||
| testSoNoMounter bool | |||
There was a problem hiding this comment.
Shouldn't we mock/stub this interface instead of adding this parameter especially to a public method?
Also, by reading the tests comments, it seems that we will be needing to have sudo privilege to run the tests; which is a bit complex.
There was a problem hiding this comment.
Yes I took a short cut of not creating a mock mounter for unit tests.
I'll switch to creating a mock mounter and remove this.
There was a problem hiding this comment.
fyi k8s over at https://github.com/kubernetes/utils/tree/master/mount does not have a "fake" mounter
There was a problem hiding this comment.
and yes with all this we are "avoiding" the need for sudo priv's that are required to call the "real" mounter
There was a problem hiding this comment.
I am glad to see that now we have something more elegant than k8s folks 😄
pkg/hostpath/hostpath.go
Outdated
| klog.V(2).Infof("pruner: issue unmounting for volume %s mount id %s: %s", hpv.GetVolID(), hpv.GetVolPathAnchorDir(), err.Error()) | ||
| } else { | ||
| klog.V(2).Infof("pruner: successfully unmounted volume %s mount id %s", hpv.GetVolID(), hpv.GetVolPathAnchorDir()) | ||
| if mounter != nil { |
There was a problem hiding this comment.
so this is only needed when we are in unit tests?
The mounter here is only instantiated if we are in test mode. And so is the clean-up. I would suggest that we add this logic only in unit tests methods only.
err = mounter.Unmount(hpv.GetVolPathAnchorDir())
we only need a reference to the hpv and we could create a mounter in the unit test.
wdyt ?
There was a problem hiding this comment.
see my comment above ... I'll create a mock/test version of the mount interface
|
ok thanks for the review @akram I've either responded in comments or made change in a separate commit for this review from you.... PTAL ... I'll squash commits when we reach a steady state with your review |
|
That looks good now @gabemontero ! You can squash then, so I can lgtm that. |
gabemontero
force-pushed
the
require-read-only
branch
from
56dcbef
to
6b51a3e
Compare
thanks @akram the akram-1 commit has been squashed into the code/doc/unit/e2e commits appropriately |
|
bump @prietyc123 for qe approved label the scenario here is to confirm that it the pod trying to mount the shared resource volume does not set the volumeAttribute |
|
/lgtm |
docs/content-update-details.md
Outdated
| `SharedConfigMaps`. Then, when the actual `Secrets` or `ConfigMaps` referenced by those | ||
| `SharedSecrets` and `SharedConfigMaps` change, each volume across all the active `Pods` | ||
| in the system will have their content corresponding to those `Secrets` and `ConfigMaps`. |
There was a problem hiding this comment.
| in the system will have their content corresponding to those `Secrets` and `ConfigMaps`. | |
| in the system will have their content corresponding to those `Secrets` and `ConfigMaps` updated. |
docs/content-update-details.md
Outdated
| with the belief that if they want resource refreshing disabled, it should be disabled for everyone. | ||
|
|
||
| For disabling at the volume specific level, the `volumeAttributes` field in should have an entry with the |
There was a problem hiding this comment.
| For disabling at the volume specific level, the `volumeAttributes` field in should have an entry with the | |
| For disabling at the volume specific level, the `volumeAttributes` field should have an entry with the |
docs/csi.md
Outdated
| this driver will return a read-write linux file system to the kubelet, so that CRI-O can apply the correct SELinux labels on the file system (CRI-O would not be able to update the SELinux labels on a read only file system | ||
| after it is created), but the kubelet still makes sure that the file system later exposed to the consuming pod (which sits on top of the file system returned by this repository's driver) is read only. | ||
| If this driver allowed both read-only and read-write, there is in fact no way to provide differing support that still allows for correct SELinux labelling for each). | ||
| - Also, mounting of one `SharedConfigMap` OR `SharedSecret` off of a subdirectory of another `SharedConfigMap` OR `SharedSecret` is *NOT* supported the driver only supports read-only `Volumes`. |
There was a problem hiding this comment.
| - Also, mounting of one `SharedConfigMap` OR `SharedSecret` off of a subdirectory of another `SharedConfigMap` OR `SharedSecret` is *NOT* supported the driver only supports read-only `Volumes`. | |
| - Also, mounting of one `SharedConfigMap` OR `SharedSecret` off of a subdirectory of another `SharedConfigMap` OR `SharedSecret` is *NOT* supported. The driver only supports read-only `Volumes`. |
pkg/hostpath/hostpath.go
Outdated
| if hp.mounter != nil { | ||
| err = hp.mounter.Unmount(hpv.GetVolPathAnchorDir()) | ||
| if err != nil { | ||
| klog.V(2).Infof("pruner: issue unmounting for volume %s mount id %s: %s", hpv.GetVolID(), hpv.GetVolPathAnchorDir(), err.Error()) |
There was a problem hiding this comment.
I think that this should be a warning, not an info.
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
gabemontero
force-pushed
the
require-read-only
branch
from
6b51a3e
to
2120e56
Compare
|
updates made @coreydaley - went ahead and squashed to existing code/doc commits given degree of change /hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/lgtm |
|
install pain no refresh e2e /retest |
|
@gabemontero: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Also fixed a doc update that was missed when I changed the controller watch to listen to the namespaces that are referenced by shares instead of listening to all namespaces but filter out some openshift system namespaces.
/assign @coreydaley
a lot of deleted code
I would also use
?w=1at the end of the git URL used during code review in your browser to filter down white space differencesfor PR review
@akram FYI - yeah a fair amount of e2e reduction was needed since we can no longer support shares mounted off other shares since we require read only to be true