feat: enforce SINGLE_NODE_SINGLE_WRITER access mode in node publish

chrishenzie · chrishenzie · commit bad071182a63 · 2022-12-06T17:55:34.000-08:00
Return FAILED_PRECONDITION if a volume in NodePublish uses the SINGLE_NODE_SINGLE_WRITER access mode and is already mounted elsewhere on the node. See the second table in this section for more details: https://github.com/container-storage-interface/spec/blob/v1.7.0/spec.md#nodepublishvolume
diff --git a/pkg/hostpath/nodeserver.go b/pkg/hostpath/nodeserver.go
@@ -31,10 +31,13 @@ import (
 	"k8s.io/utils/mount"
 )
 
-const TopologyKeyNode = "topology.hostpath.csi/node"
+const (
+	TopologyKeyNode = "topology.hostpath.csi/node"
 
-func (hp *hostPath) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) {
+	failedPreconditionAccessModeConflict = "volume uses SINGLE_NODE_SINGLE_WRITER access mode and is already mounted at a different target path"
+)
 
+func (hp *hostPath) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) {
 	// Check arguments
 	if req.GetVolumeCapability() == nil {
 		return nil, status.Error(codes.InvalidArgument, "Volume capability missing in request")
@@ -82,6 +85,10 @@ func (hp *hostPath) NodePublishVolume(ctx context.Context, req *csi.NodePublishV
 		return nil, status.Error(codes.NotFound, err.Error())
 	}
 
+	if hasSingleNodeSingleWriterAccessMode(req) && isMountedElsewhere(req, vol) {
+		return nil, status.Error(codes.FailedPrecondition, failedPreconditionAccessModeConflict)
+	}
+
 	if !ephemeralVolume {
 		if vol.Staged.Empty() {
 			return nil, status.Errorf(codes.FailedPrecondition, "volume %q must be staged before publishing", vol.VolID)
@@ -521,3 +528,21 @@ func makeFile(pathname string) error {
 	}
 	return nil
 }
+
+// hasSingleNodeSingleWriterAccessMode checks if the publish request uses the
+// SINGLE_NODE_SINGLE_WRITER access mode.
+func hasSingleNodeSingleWriterAccessMode(req *csi.NodePublishVolumeRequest) bool {
+	accessMode := req.GetVolumeCapability().GetAccessMode()
+	return accessMode != nil && accessMode.GetMode() == csi.VolumeCapability_AccessMode_SINGLE_NODE_SINGLE_WRITER
+}
+
+// isMountedElsewhere checks if the volume to publish is mounted elsewhere on
+// the node.
+func isMountedElsewhere(req *csi.NodePublishVolumeRequest, vol state.Volume) bool {
+	for _, targetPath := range vol.Published {
+		if targetPath != req.GetTargetPath() {
+			return true
+		}
+	}
+	return false
+}
