[FEATURE]: Add FSGroupPolicy Support in Dell CSI Drivers for PowerScale and PowerStore #167
Assignees
Labels
area/csi-powerscale
Issue pertains to the CSI Driver for Dell EMC PowerScale
area/csi-powerstore
Issue pertains to the CSI Driver for Dell EMC PowerStore
type/feature
A feature. This label is applied to a feature issues.
Milestone
Comments
harishp8889
added
type/feature-request
10 tasks
10 tasks
hoppea2
added
type/feature
10 tasks
5 tasks
5 tasks
5 tasks
gallacher
changed the title
gallacher
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the solution you'd like
As a User :
I should be able to set FSgroup policy in Kubernetes. Corresponding CSI Volume should be able to access with Kubernetes POD security context.
CSI Drivers can indicate whether or not they support modifying a volume's ownership or permissions when the volume is being mounted. This can be useful if the CSI Driver does not support the operation, or wishes to re-use volumes with constantly changing permissions.
See the design document for further information.
Example Usage
When creating the CSI Driver object, fsGroupPolicy is defined in the driver's spec. The following shows the hostpath driver with None included, indicating that the volumes should not be modified when mounted:
apiVersion: storage.k8s.io/v1kind: CSIDrivermetadata:name: hostpath.csi.k8s.iospec:# Supports persistent and ephemeral inline volumes.volumeLifecycleModes:- Persistent- Ephemeral# To determine at runtime which mode a volume uses, pod info and its# "csi.storage.k8s.io/ephemeral" entry are needed.podInfoOnMount: truefsGroupPolicy: None
Supported Modes
The following modes are supported:
None: Indicates that volumes will be mounted with no modifications, as the CSI volume driver does not support these operations.
File: Indicates that the CSI volume driver supports volume ownership and permission change via fsGroup, and Kubernetes may use fsGroup to change permissions and ownership of the volume to match user requested fsGroup in the pod's SecurityPolicy regardless of fstype or access mode.
ReadWriteOnceWithFSType: Indicates that volumes will be examined to determine if volume ownership and permissions should be modified to match the pod's security policy. Changes will only occur if the fsType is defined and the persistent volume's accessModes contains ReadWriteOnce. .
If undefined, fsGroupPolicy will default to ReadWriteOnceWithFSType, keeping the previous behavior.
Feature Gates
To use this field, Kubernetes 1.19 binaries must start with the CSIVolumeFSGroupPolicy feature gate enabled:
--feature-gates=CSIVolumeFSGroupPolicy=true
This is enabled by default on 1.20 and higher.
More information : https://kubernetes-csi.github.io/docs/support-fsgroup.html
Describe alternatives you've considered
Delegation feature
Additional context
NA
The text was updated successfully, but these errors were encountered: