Supporting defaultMode in podman kube play

Kubernetes allows setting default permission for volume, this is to provide similar capability in podman kube play Close containers#19313 Signed-off-by: Vincent Deng <ywdeng@tw.ibm.com>
vincentywdeng · Sep 25, 2023 · 7c77fb6 · 7c77fb6
1 parent 8acd66c
commit 7c77fb6
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
@@ -628,13 +628,23 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 			if err != nil || mountPoint == "" {
 				return nil, nil, fmt.Errorf("unable to get mountpoint of volume %q: %w", vol.Name(), err)
 			}
+
+			defaultMode := v.DefaultMode
 			// Create files and add data to the volume mountpoint based on the Items in the volume
 			for k, v := range v.Items {
 				dataPath := filepath.Join(mountPoint, k)
 				f, err := os.Create(dataPath)
 				if err != nil {
 					return nil, nil, fmt.Errorf("cannot create file %q at volume mountpoint %q: %w", k, mountPoint, err)
 				}
+
+				// Sets file permission
+				err = f.Chmod(os.FileMode(defaultMode))
+
+				if err != nil {
+					return nil, nil, fmt.Errorf("cannot change file permission for %q : %w", dataPath, err)
+				}
+
 				defer f.Close()
 				_, err = f.Write(v)
 				if err != nil {

diff --git a/pkg/specgen/generate/kube/volume.go b/pkg/specgen/generate/kube/volume.go
@@ -48,6 +48,12 @@ type KubeVolume struct {
 	// If the volume is optional, we can move on if it is not found
 	// Only used when there are volumes in a yaml that refer to a configmap
 	Optional bool
+	// Optional: mode bits used to set permissions on created files by default.
+	// Defaults to 0644.
+	// Directories within the path are not affected by this setting.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	DefaultMode int32
 }
 
 // Create a KubeVolume from an HostPathVolumeSource
@@ -132,9 +138,10 @@ func VolumeFromHostPath(hostPath *v1.HostPathVolumeSource, mountLabel string) (*
 // VolumeFromSecret creates a new kube volume from a kube secret.
 func VolumeFromSecret(secretSource *v1.SecretVolumeSource, secretsManager *secrets.SecretsManager) (*KubeVolume, error) {
 	kv := &KubeVolume{
-		Type:   KubeVolumeTypeSecret,
-		Source: secretSource.SecretName,
-		Items:  map[string][]byte{},
+		Type:        KubeVolumeTypeSecret,
+		Source:      secretSource.SecretName,
+		DefaultMode: v1.SecretVolumeSourceDefaultMode,
+		Items:       map[string][]byte{},
 	}
 
 	// returns a byte array of a kube secret data, meaning this needs to go into a string map
@@ -154,6 +161,11 @@ func VolumeFromSecret(secretSource *v1.SecretVolumeSource, secretsManager *secre
 		return nil, err
 	}
 
+	// Only change defaultMode when the specified mode is between 0 to 0777
+	if secretSource.DefaultMode != nil && *secretSource.DefaultMode >= 0 && *secretSource.DefaultMode <= int32(os.ModePerm) {
+		kv.DefaultMode = *secretSource.DefaultMode
+	}
+
 	// If there are Items specified in the volumeSource, that overwrites the Data from the Secret
 	if len(secretSource.Items) > 0 {
 		for _, item := range secretSource.Items {
@@ -188,15 +200,20 @@ func VolumeFromPersistentVolumeClaim(claim *v1.PersistentVolumeClaimVolumeSource
 func VolumeFromConfigMap(configMapVolumeSource *v1.ConfigMapVolumeSource, configMaps []v1.ConfigMap) (*KubeVolume, error) {
 	var configMap *v1.ConfigMap
 	kv := &KubeVolume{
-		Type:  KubeVolumeTypeConfigMap,
-		Items: map[string][]byte{},
+		Type:        KubeVolumeTypeConfigMap,
+		Items:       map[string][]byte{},
+		DefaultMode: v1.ConfigMapVolumeSourceDefaultMode,
 	}
 	for _, cm := range configMaps {
 		if cm.Name == configMapVolumeSource.Name {
 			matchedCM := cm
 			// Set the source to the config map name
 			kv.Source = cm.Name
 			configMap = &matchedCM
+			// Only change defaultMode when the specified mode is between 0 to 0777
+			if configMapVolumeSource.DefaultMode != nil && *configMapVolumeSource.DefaultMode >= 0 && *configMapVolumeSource.DefaultMode <= int32(os.ModePerm) {
+				kv.DefaultMode = *configMapVolumeSource.DefaultMode
+			}
 			break
 		}
 	}