The user can fail to write to a volume even if fsGroup is properly set in securityContext #835
Description
What happened:
Even if user explicitly requires the same fsGroup as runAsUser and runAsGroup for a Pod:
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1002
runAsGroup: 1002
fsGroup: 1002
he/she will fail to write to the volume:
bash-5.2$ touch /mnt/claim/FILE
touch: cannot touch '/mnt/claim/FILE': Permission denied
if StorageClass does not set uid/gid or dir_mode or noperm:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: samba
provisioner: smb.csi.k8s.io
parameters:
source: //samba-server.samba-server.svc.cluster.local/share
csi.storage.k8s.io/provisioner-secret-name: smbcreds
csi.storage.k8s.io/provisioner-secret-namespace: samba-server
csi.storage.k8s.io/node-stage-secret-name: smbcreds
csi.storage.k8s.io/node-stage-secret-namespace: samba-server
reclaimPolicy: Delete
volumeBindingMode: Immediate
mountOptions:
- file_mode=0777
- mfsymlinks
- cache=strict
- noserverino
What you expected to happen:
If user requests the same fsGroup as runAsGroup in securityContext section of a pod definition, SMB CSI driver must construct mount options letting full access for that volume.
How to reproduce it:
Create StorageClass:
kubectl apply -f - <<EOF
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: samba
provisioner: smb.csi.k8s.io
parameters:
source: //samba-server.samba-server.svc.cluster.local/share
csi.storage.k8s.io/provisioner-secret-name: smbcreds
csi.storage.k8s.io/provisioner-secret-namespace: samba-server
csi.storage.k8s.io/node-stage-secret-name: smbcreds
csi.storage.k8s.io/node-stage-secret-namespace: samba-server
reclaimPolicy: Delete
volumeBindingMode: Immediate
mountOptions:
- file_mode=0777
- mfsymlinks
- cache=strict
- noserverino
EOF
for a samba server from https://github.com/samba-in-kubernetes/samba-container .
Create a Pod requesting samba PV:
kubectl apply -f - <<EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: claim
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Mi
storageClassName: samba
---
apiVersion: v1
kind: Pod
metadata:
name: fedora
labels:
app: fedora
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1002
runAsGroup: 1002
fsGroup: 1002
volumes:
- name: claim2-vol
persistentVolumeClaim:
claimName: claim
containers:
- image: registry.fedoraproject.org/fedora-minimal
command:
- "sleep"
- "604800"
imagePullPolicy: IfNotPresent
name: fedora
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- "ALL"
volumeMounts:
- mountPath: "/mnt/claim"
name: claim2-vol
restartPolicy: Always
Verify that the volume is not write-able from the Pod:
$ kubectl exec -it fedora -- bash
bash-5.2$ touch /mnt/claim/FILE
touch: cannot touch '/mnt/claim/FILE': Permission denied
Anything else we need to know?:
Environment:
-
CSI Driver version: Image manually built by
docker build ... -f ./cmd/smbplugin/Dockerfile .from the top of upstream master branch (commit 4d10e97 of https://github.com/kubernetes-csi/csi-driver-smb.git) -
Kubernetes version (use
kubectl version):
Client Version: v1.30.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.30.3