You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-storage/2317-fsgroup-on-mount/README.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -234,7 +234,9 @@ fields of API types, flags, etc.?**
234
234
_This section must be completed when targeting beta graduation to a release._
235
235
236
236
***How can an operator determine if the feature is in use by workloads?**
237
-
We are going to split the metric that captures mount and permission timings. The full details are available in - https://github.com/kubernetes/kubernetes/issues/98667
237
+
The feature is in use if the feature gate DelegateFSGroupToCSIDriver is enabled in kubelet, and the CSI driver supports the `VOLUME_MOUNT_GROUP` node service capability.
238
+
239
+
We have considered introducing a new metric with a label that identifies which fsgroup logic is used (https://github.com/kubernetes/kubernetes/issues/98667), but because this feature is small and simple enough, the benefit of such a label would be marginal.
238
240
239
241
***What are the SLIs (Service Level Indicators) an operator can use to determine
240
242
the health of the service?**
@@ -257,8 +259,8 @@ the health of the service?**
257
259
258
260
***Are there any missing metrics that would be useful to have to improve observability
259
261
of this feature?**
260
-
261
-
https://github.com/kubernetes/kubernetes/issues/98667 as mentioned above - aiming to implement this as part of beta.
262
+
263
+
No
262
264
263
265
### Dependencies
264
266
@@ -348,7 +350,7 @@ _This section must be completed when targeting beta graduation to a release._
348
350
In addition to existing k8s volume and CSI failure modes:
349
351
350
352
- Driver fails to apply FSGroup (due to a driver error).
351
-
- Detection: SLI above, in conjunction with the metric in https://github.com/kubernetes/kubernetes/issues/98667 to determine if this feature is being used.
353
+
- Detection: SLI above, in conjunction with the `DelegateFSGroupToCSIDriver` feature gate and `VOLUME_MOUNT_GROUP` node service capability in the CSI driver to determine if this feature is being used.
352
354
- Mitigations: Revert the CSI driver version to one without the issue, or avoid specifying an FSGroup in the pod's security context, if possible.
353
355
- Diagnostics: Depends on the driver. Generally look for FSGroup-related messages in `NodeStageVolume` and `NodePublishVolume` logs.
354
356
- Testing: Will add an e2e test with a test driver (csi-driver-host-path) simulating a FSGroup failure.
0 commit comments