Merge pull request #72 from inteon/fsgroup

cert-manager-prow[bot] · web-flow · commit 084acbbe213c · 2025-05-27T08:48:49.000Z
Add securityContext.fsGroup support, remove FixedFSGroup field
diff --git a/driver/controllerserver.go b/driver/controllerserver.go
@@ -20,8 +20,6 @@ import (
 	"context"
 
 	"github.com/container-storage-interface/spec/lib/go/csi"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 )
 
 var _ csi.ControllerServer = &controllerServer{} // compiler validation
@@ -30,70 +28,9 @@ type controllerServer struct {
 	csi.UnimplementedControllerServer
 }
 
-func (cs *controllerServer) ControllerModifyVolume(ctx context.Context, request *csi.ControllerModifyVolumeRequest) (*csi.ControllerModifyVolumeResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "ControllerModifyVolume not implemented")
-}
-
-func (cs *controllerServer) ControllerGetVolume(ctx context.Context, request *csi.ControllerGetVolumeRequest) (*csi.ControllerGetVolumeResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "ControllerGetVolume not implemented")
-}
-
-func (cs *controllerServer) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest) (*csi.CreateVolumeResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "CreateVolume not implemented")
-}
-
-func (cs *controllerServer) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRequest) (*csi.DeleteVolumeResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "DeleteVolume not implemented")
-}
-
-func (cs *controllerServer) ControllerPublishVolume(ctx context.Context, req *csi.ControllerPublishVolumeRequest) (*csi.ControllerPublishVolumeResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "ControllerPublishVolume not implemented")
-}
-
-func (cs *controllerServer) ControllerUnpublishVolume(ctx context.Context, req *csi.ControllerUnpublishVolumeRequest) (*csi.ControllerUnpublishVolumeResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "ControllerUnpublishVolume not implemented")
-}
-
-func (cs *controllerServer) ValidateVolumeCapabilities(ctx context.Context, req *csi.ValidateVolumeCapabilitiesRequest) (*csi.ValidateVolumeCapabilitiesResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "ValidateVolumeCapabilities not implemented")
-}
-
-func (cs *controllerServer) ListVolumes(ctx context.Context, req *csi.ListVolumesRequest) (*csi.ListVolumesResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "ListVolumes not implemented")
-}
-
-func (cs *controllerServer) GetCapacity(ctx context.Context, req *csi.GetCapacityRequest) (*csi.GetCapacityResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "GetCapacity not implemented")
-}
-
-// ControllerGetCapabilities implements the default GRPC callout.
-// Default supports all capabilities
+// Advertise no capabilities.
 func (cs *controllerServer) ControllerGetCapabilities(ctx context.Context, req *csi.ControllerGetCapabilitiesRequest) (*csi.ControllerGetCapabilitiesResponse, error) {
 	return &csi.ControllerGetCapabilitiesResponse{
-		Capabilities: []*csi.ControllerServiceCapability{
-			{
-				Type: &csi.ControllerServiceCapability_Rpc{
-					Rpc: &csi.ControllerServiceCapability_RPC{
-						Type: csi.ControllerServiceCapability_RPC_UNKNOWN,
-					},
-				},
-			},
-		},
+		Capabilities: []*csi.ControllerServiceCapability{},
 	}, nil
 }
-
-func (cs *controllerServer) CreateSnapshot(ctx context.Context, req *csi.CreateSnapshotRequest) (*csi.CreateSnapshotResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "CreateSnapshot not implemented")
-}
-
-func (cs *controllerServer) DeleteSnapshot(ctx context.Context, req *csi.DeleteSnapshotRequest) (*csi.DeleteSnapshotResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "DeleteSnapshot not implemented")
-}
-
-func (cs *controllerServer) ListSnapshots(ctx context.Context, req *csi.ListSnapshotsRequest) (*csi.ListSnapshotsResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "ListSnapshots not implemented")
-}
-
-func (cs *controllerServer) ControllerExpandVolume(ctx context.Context, req *csi.ControllerExpandVolumeRequest) (*csi.ControllerExpandVolumeResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "ControllerExpandVolume not implemented")
-}
diff --git a/driver/identityserver.go b/driver/identityserver.go
@@ -58,6 +58,7 @@ func (ids *identityServer) Probe(ctx context.Context, req *csi.ProbeRequest) (*c
 	return &csi.ProbeResponse{}, nil
 }
 
+// Advertise the CONTROLLER_SERVICE capability, indicating the controller service can be called.
 func (ids *identityServer) GetPluginCapabilities(ctx context.Context, req *csi.GetPluginCapabilitiesRequest) (*csi.GetPluginCapabilitiesResponse, error) {
 	return &csi.GetPluginCapabilitiesResponse{
 		Capabilities: []*csi.PluginCapability{
diff --git a/driver/nodeserver.go b/driver/nodeserver.go
@@ -149,14 +149,6 @@ func loggerForMetadata(log logr.Logger, meta metadata.Metadata) logr.Logger {
 	return log.WithValues("pod_name", meta.VolumeContext["csi.storage.k8s.io/pod.name"])
 }
 
-func (ns *nodeServer) NodeStageVolume(ctx context.Context, request *csi.NodeStageVolumeRequest) (*csi.NodeStageVolumeResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "NodeStageVolume not implemented")
-}
-
-func (ns *nodeServer) NodeUnstageVolume(ctx context.Context, request *csi.NodeUnstageVolumeRequest) (*csi.NodeUnstageVolumeResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "NodeUnstageVolume not implemented")
-}
-
 func (ns *nodeServer) NodeUnpublishVolume(ctx context.Context, request *csi.NodeUnpublishVolumeRequest) (*csi.NodeUnpublishVolumeResponse, error) {
 	log := ns.log.WithValues("volume_id", request.VolumeId, "target_path", request.TargetPath)
 	ns.manager.UnmanageVolume(request.GetVolumeId())
@@ -184,21 +176,14 @@ func (ns *nodeServer) NodeUnpublishVolume(ctx context.Context, request *csi.Node
 	return &csi.NodeUnpublishVolumeResponse{}, nil
 }
 
-func (ns *nodeServer) NodeGetVolumeStats(ctx context.Context, request *csi.NodeGetVolumeStatsRequest) (*csi.NodeGetVolumeStatsResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "NodeGetVolumeStats not implemented")
-}
-
-func (ns *nodeServer) NodeExpandVolume(ctx context.Context, request *csi.NodeExpandVolumeRequest) (*csi.NodeExpandVolumeResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "NodeExpandVolume not implemented")
-}
-
+// Advertise the VOLUME_MOUNT_GROUP capability, indicating that we can handle the securityContext.fsGroup option.
 func (ns *nodeServer) NodeGetCapabilities(ctx context.Context, request *csi.NodeGetCapabilitiesRequest) (*csi.NodeGetCapabilitiesResponse, error) {
 	return &csi.NodeGetCapabilitiesResponse{
 		Capabilities: []*csi.NodeServiceCapability{
 			{
 				Type: &csi.NodeServiceCapability_Rpc{
 					Rpc: &csi.NodeServiceCapability_RPC{
-						Type: csi.NodeServiceCapability_RPC_UNKNOWN,
+						Type: csi.NodeServiceCapability_RPC_VOLUME_MOUNT_GROUP,
 					},
 				},
 			},
diff --git a/driver/server.go b/driver/server.go
@@ -96,7 +96,7 @@ func parseEndpoint(ep string) (string, string, error) {
 			return s[0], s[1], nil
 		}
 	}
-	return "", "", fmt.Errorf("Invalid endpoint: %v", ep)
+	return "", "", fmt.Errorf("invalid endpoint: %v", ep)
 }
 
 func loggingInterceptor(log logr.Logger) grpc.UnaryServerInterceptor {
diff --git a/metadata/metadata.go b/metadata/metadata.go
@@ -38,14 +38,18 @@ type Metadata struct {
 	// System-specific attributes extracted from the NodePublishVolume request.
 	// These are sourced from the VolumeContext.
 	VolumeContext map[string]string `json:"volumeContext,omitempty"`
+
+	// VolumeMountGroup is the filesystem group that the volume should be mounted as.
+	VolumeMountGroup string `json:"volumeMountGroup,omitempty"`
 }
 
 // FromNodePublishVolumeRequest constructs a Metadata from a NodePublishVolumeRequest.
 // The NextIssuanceTime field will NOT be set.
 func FromNodePublishVolumeRequest(request *csi.NodePublishVolumeRequest) Metadata {
 	return Metadata{
-		VolumeID:      request.GetVolumeId(),
-		TargetPath:    request.GetTargetPath(),
-		VolumeContext: request.GetVolumeContext(),
+		VolumeID:         request.GetVolumeId(),
+		TargetPath:       request.GetTargetPath(),
+		VolumeContext:    request.GetVolumeContext(),
+		VolumeMountGroup: request.GetVolumeCapability().GetMount().GetVolumeMountGroup(),
 	}
 }
diff --git a/storage/filesystem.go b/storage/filesystem.go
@@ -49,16 +49,10 @@ type Filesystem struct {
 	// used by the 'read only' methods
 	fs fs.StatFS
 
-	// FixedFSGroup is an optional field which will set the gid ownership of all
-	// volume's data directories to this value.
-	// If this value is set, FSGroupVolumeAttributeKey has no effect.
-	FixedFSGroup *int64
-
 	// FSGroupVolumeAttributeKey is an optional well-known key in the volume
 	// attributes. If this attribute is present in the context when writing
 	// files, gid ownership of the volume's data directory will be changed to
 	// the value. Attribute value must be a valid int64 value.
-	// If FixedFSGroup is defined, this field has no effect.
 	FSGroupVolumeAttributeKey string
 }
 
@@ -328,19 +322,20 @@ func makePayload(in map[string][]byte) map[string]util.FileProjection {
 // directory should be changed to. Returns nil if ownership should not be
 // changed.
 func (f *Filesystem) fsGroupForMetadata(meta metadata.Metadata) (*int64, error) {
-	// FixedFSGroup takes precedence over attribute key.
-	if f.FixedFSGroup != nil {
-		return f.FixedFSGroup, nil
-	}
-
+	// The VolumeAttribute takes precedence over the VolumeMountGroup that is
+	// set using the securityContext.fsGroup field. This way, we can support more
+	// granular control over the fsGroup per volume.
+	fsGroupStr := ""
 	// If the FSGroupVolumeAttributeKey is not defined, no ownership can change.
-	if len(f.FSGroupVolumeAttributeKey) == 0 {
-		return nil, nil
+	if fsGroupStr == "" && len(f.FSGroupVolumeAttributeKey) > 0 {
+		fsGroupStr = meta.VolumeContext[f.FSGroupVolumeAttributeKey]
+	}
+	if fsGroupStr == "" {
+		fsGroupStr = meta.VolumeMountGroup
 	}
 
-	fsGroupStr, ok := meta.VolumeContext[f.FSGroupVolumeAttributeKey]
-	if !ok {
-		// If the attribute has not been set, return no ownership change.
+	// If the attribute has not been set, return no ownership change.
+	if fsGroupStr == "" {
 		return nil, nil
 	}
 
diff --git a/storage/filesystem_test.go b/storage/filesystem_test.go
@@ -143,99 +143,106 @@ func Test_fsGroupForMetadata(t *testing.T) {
 	}
 
 	tests := map[string]struct {
-		fixedFSGroup              *int64
+		metaVolumeMountGroup      string
 		fsGroupVolumeAttributeKey string
 		volumeContext             map[string]string
 
 		expGID *int64
 		expErr bool
 	}{
-		"FixedFSGroup=nil FSGroupVolumeAttributeKey='', should return nil gid": {
-			fixedFSGroup:              nil,
+		"meta.VolumeMountGroup='' FSGroupVolumeAttributeKey='', should return nil gid": {
+			metaVolumeMountGroup:      "",
 			fsGroupVolumeAttributeKey: "",
 			volumeContext:             map[string]string{},
 			expGID:                    nil,
 			expErr:                    false,
 		},
-		"FixedFSGroup=10 FSGroupVolumeAttributeKey='', should return 10": {
-			fixedFSGroup:              intPtr(10),
+		"meta.VolumeMountGroup='70' FSGroupVolumeAttributeKey='', should return 70": {
+			metaVolumeMountGroup:      "70",
 			fsGroupVolumeAttributeKey: "",
 			volumeContext:             map[string]string{},
-			expGID:                    intPtr(10),
+			expGID:                    intPtr(70),
 			expErr:                    false,
 		},
-		"FixedFSGroup=nil FSGroupVolumeAttributeKey=defined but not present in context, should return nil": {
-			fixedFSGroup:              nil,
+		"meta.VolumeMountGroup='' FSGroupVolumeAttributeKey=defined but not present in context, should return nil": {
+			metaVolumeMountGroup:      "",
 			fsGroupVolumeAttributeKey: "fs-gid",
 			volumeContext:             map[string]string{},
 			expGID:                    nil,
 			expErr:                    false,
 		},
-		"FixedFSGroup=nil FSGroupVolumeAttributeKey=defined and present in context, should return 20": {
-			fixedFSGroup:              nil,
+		"meta.VolumeMountGroup='70' FSGroupVolumeAttributeKey=defined but not present in context, should return 70": {
+			metaVolumeMountGroup:      "70",
+			fsGroupVolumeAttributeKey: "fs-gid",
+			volumeContext:             map[string]string{},
+			expGID:                    intPtr(70),
+			expErr:                    false,
+		},
+		"meta.VolumeMountGroup='' FSGroupVolumeAttributeKey=defined and present in context, should return 20": {
+			metaVolumeMountGroup:      "",
 			fsGroupVolumeAttributeKey: "fs-gid",
 			volumeContext: map[string]string{
 				"fs-gid": "20",
 			},
 			expGID: intPtr(20),
 			expErr: false,
 		},
-		"FixedFSGroup=nil FSGroupVolumeAttributeKey=defined and present in context but value of 0, should error": {
-			fixedFSGroup:              nil,
+		"meta.VolumeMountGroup='10' FSGroupVolumeAttributeKey=defined and present in context, should return 20": {
+			metaVolumeMountGroup:      "10",
+			fsGroupVolumeAttributeKey: "fs-gid",
+			volumeContext: map[string]string{
+				"fs-gid": "20",
+			},
+			expGID: intPtr(20),
+			expErr: false,
+		},
+		"meta.VolumeMountGroup='' FSGroupVolumeAttributeKey=defined and present in context but value of 0, should error": {
+			metaVolumeMountGroup:      "",
 			fsGroupVolumeAttributeKey: "fs-gid",
 			volumeContext: map[string]string{
 				"fs-gid": "0",
 			},
 			expGID: nil,
 			expErr: true,
 		},
-		"FixedFSGroup=nil FSGroupVolumeAttributeKey=defined and present in context but value of -1, should error": {
-			fixedFSGroup:              nil,
+		"meta.VolumeMountGroup='' FSGroupVolumeAttributeKey=defined and present in context but value of -1, should error": {
+			metaVolumeMountGroup:      "",
 			fsGroupVolumeAttributeKey: "fs-gid",
 			volumeContext: map[string]string{
 				"fs-gid": "-1",
 			},
 			expGID: nil,
 			expErr: true,
 		},
-		"FixedFSGroup=nil FSGroupVolumeAttributeKey=defined and present in context but value greater than the max gid, should error": {
-			fixedFSGroup:              nil,
+		"meta.VolumeMountGroup='' FSGroupVolumeAttributeKey=defined and present in context but value greater than the max gid, should error": {
+			metaVolumeMountGroup:      "",
 			fsGroupVolumeAttributeKey: "fs-gid",
 			volumeContext: map[string]string{
 				"fs-gid": "4294967296",
 			},
 			expGID: nil,
 			expErr: true,
 		},
-		"FixedFSGroup=nil FSGroupVolumeAttributeKey=defined and present in context but with bad value, should return error": {
-			fixedFSGroup:              nil,
+		"meta.VolumeMountGroup='' FSGroupVolumeAttributeKey=defined and present in context but with bad value, should return error": {
+			metaVolumeMountGroup:      "",
 			fsGroupVolumeAttributeKey: "fs-gid",
 			volumeContext: map[string]string{
 				"fs-gid": "bad-value",
 			},
 			expGID: nil,
 			expErr: true,
 		},
-		"FixedFSGroup=10 FSGroupVolumeAttributeKey=defined and present in context, should return superseding FixedFSGroup (10)": {
-			fixedFSGroup:              intPtr(10),
-			fsGroupVolumeAttributeKey: "fs-gid",
-			volumeContext: map[string]string{
-				"fs-gid": "20",
-			},
-			expGID: intPtr(10),
-			expErr: false,
-		},
 	}
 
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
 			f := Filesystem{
-				FixedFSGroup:              test.fixedFSGroup,
 				FSGroupVolumeAttributeKey: test.fsGroupVolumeAttributeKey,
 			}
 
 			gid, err := f.fsGroupForMetadata(metadata.Metadata{
-				VolumeContext: test.volumeContext,
+				VolumeContext:    test.volumeContext,
+				VolumeMountGroup: test.metaVolumeMountGroup,
 			})
 
 			if (err != nil) != test.expErr {

Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,7 @@ func (ids identityServer) Probe(ctx context.Context, req csi.ProbeRequest) (*c`
`58`	`58`	`return &csi.ProbeResponse{}, nil`
`59`	`59`	`}`
`60`	`60`
	`61`	`+// Advertise the CONTROLLER_SERVICE capability, indicating the controller service can be called.`
`61`	`62`	`func (ids identityServer) GetPluginCapabilities(ctx context.Context, req csi.GetPluginCapabilitiesRequest) (*csi.GetPluginCapabilitiesResponse, error) {`
`62`	`63`	`return &csi.GetPluginCapabilitiesResponse{`
`63`	`64`	`Capabilities: []*csi.PluginCapability{`
Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ func parseEndpoint(ep string) (string, string, error) {`
`96`	`96`	`return s[0], s[1], nil`
`97`	`97`	`}`
`98`	`98`	`}`
`99`		`- return "", "", fmt.Errorf("Invalid endpoint: %v", ep)`
	`99`	`+ return "", "", fmt.Errorf("invalid endpoint: %v", ep)`
`100`	`100`	`}`
`101`	`101`
`102`	`102`	`func loggingInterceptor(log logr.Logger) grpc.UnaryServerInterceptor {`