chore: make confidentialContainerLabel configurable in storage class

Author: andyzhangx

pkg/azurefile/azurefile.go

@@ -162,7 +162,8 @@ const (
 	premium                           = "premium"
 	selectRandomMatchingAccountField  = "selectrandommatchingaccount"
 	accountQuotaField                 = "accountquota"
-	defaultKataCCLabel                = "kubernetes.azure.com/kata-cc-isolation"
+	confidentialContainerLabelField   = "confidentialcontainerlabel"
+	defaultConfidentialContainerLabel = "kubernetes.azure.com/kata-cc-isolation"
 	runtimeClassHandlerField          = "runtimeclasshandler"
 	defaultRuntimeClassHandler        = "kata-cc"
 
@@ -472,7 +473,7 @@ func (d *Driver) Run(ctx context.Context) error {
 	csi.RegisterControllerServer(server, d)
 	csi.RegisterNodeServer(server, d)
 	d.server = server
-	d.isKataNode = isKataNode(ctx, d.NodeID, d.kubeClient)
+	d.isKataNode = isKataNode(ctx, d.NodeID, defaultConfidentialContainerLabel, d.kubeClient)
 
 	listener, err := csicommon.ListenEndpoint(ctx, d.endpoint)
 	if err != nil {
@@ -1345,7 +1346,7 @@ func (d *Driver) getFileShareClientForSub(subscriptionID string) (fileshareclien
 	return d.cloud.ComputeClientFactory.GetFileShareClientForSub(subscriptionID)
 }
 
-func isKataNode(ctx context.Context, nodeID string, kubeClient clientset.Interface) bool {
+func isKataNode(ctx context.Context, nodeID, confidentialContainerLabel string, kubeClient clientset.Interface) bool {
 	if nodeID == "" {
 		return false
 	}
@@ -1366,7 +1367,7 @@ func isKataNode(ctx context.Context, nodeID string, kubeClient clientset.Interfa
 	}
 
 	// Check for the kata isolation labels
-	if _, ok := node.Labels[defaultKataCCLabel]; !ok {
+	if _, ok := node.Labels[confidentialContainerLabel]; !ok {
 		return false
 	}
 	klog.V(4).Infof("node(%s) is a kata node with labels: %v", nodeID, node.Labels)

pkg/azurefile/azurefile_test.go

@@ -1675,7 +1675,7 @@ func TestIsKataNode(t *testing.T) {
 			nodeName:    "test-node",
 			setupClient: true,
 			labels: map[string]string{
-				defaultKataCCLabel: "",
+				defaultConfidentialContainerLabel: "",
 			},
 			expected: true,
 		},
@@ -1684,7 +1684,7 @@ func TestIsKataNode(t *testing.T) {
 			nodeName:    "test-node",
 			setupClient: true,
 			labels: map[string]string{
-				defaultKataCCLabel: "test",
+				defaultConfidentialContainerLabel:             "test",
 				"kubernetes.azure.com/kata-mshv-vm-isolation": "true",
 				"katacontainers.io/kata-runtime":              "true",
 			},
@@ -1711,7 +1711,7 @@ func TestIsKataNode(t *testing.T) {
 				_, err := clientset.CoreV1().Nodes().Create(ctx, node, metav1.CreateOptions{})
 				assert.NoError(t, err)
 			}
-			result := isKataNode(ctx, tc.nodeName, clientset)
+			result := isKataNode(ctx, tc.nodeName, defaultConfidentialContainerLabel, clientset)
 			assert.Equal(t, tc.expected, result)
 		})
 	}

pkg/azurefile/controllerserver.go

@@ -228,6 +228,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		case serverNameField:
 		case folderNameField:
 		case clientIDField:
+		case confidentialContainerLabelField:
 		case runtimeClassHandlerField:
 			// no op, only used in NodeStageVolume
 		case fsGroupChangePolicyField:

pkg/azurefile/controllerserver_test.go

@@ -906,23 +906,24 @@ var _ = ginkgo.Describe("TestCreateVolume", func() {
 				}
 
 				allParam := map[string]string{
-					skuNameField:              "premium",
-					storageAccountTypeField:   "stoacctype",
-					locationField:             "loc",
-					storageAccountField:       "stoacc",
-					resourceGroupField:        "rg",
-					shareNameField:            "",
-					diskNameField:             "diskname.vhd",
-					fsTypeField:               "",
-					storeAccountKeyField:      "storeaccountkey",
-					secretNamespaceField:      "default",
-					mountPermissionsField:     "0755",
-					accountQuotaField:         "1000",
-					useDataPlaneAPIField:      "oauth",
-					clientIDField:             "client-id",
-					provisionedBandwidthField: "100",
-					provisionedIopsField:      "800",
-					runtimeClassHandlerField:  "runtime-handler",
+					skuNameField:                    "premium",
+					storageAccountTypeField:         "stoacctype",
+					locationField:                   "loc",
+					storageAccountField:             "stoacc",
+					resourceGroupField:              "rg",
+					shareNameField:                  "",
+					diskNameField:                   "diskname.vhd",
+					fsTypeField:                     "",
+					storeAccountKeyField:            "storeaccountkey",
+					secretNamespaceField:            "default",
+					mountPermissionsField:           "0755",
+					accountQuotaField:               "1000",
+					useDataPlaneAPIField:            "oauth",
+					clientIDField:                   "client-id",
+					provisionedBandwidthField:       "100",
+					provisionedIopsField:            "800",
+					runtimeClassHandlerField:        "runtime-handler",
+					confidentialContainerLabelField: "confidential-container-label",
 				}
 
 				req := &csi.CreateVolumeRequest{

pkg/azurefile/nodeserver.go

@@ -113,44 +113,52 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 			}
 		}
 
-		enableKataCCMount := d.isKataNode && d.enableKataCCMount
-		if enableKataCCMount && context[podNameField] != "" && context[podNamespaceField] != "" {
-			runtimeClass, err := getRuntimeClassForPodFunc(ctx, d.kubeClient, context[podNameField], context[podNamespaceField])
-			if err != nil {
-				return nil, status.Errorf(codes.Internal, "failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
-			}
-			klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with runtimeClass %s", volumeID, target, runtimeClass)
-			runtimeClassHandler := getValueInMap(context, runtimeClassHandlerField)
-			if runtimeClassHandler == "" {
-				runtimeClassHandler = defaultRuntimeClassHandler
-			}
-			isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.kubeClient, runtimeClass, runtimeClassHandler)
-			if err != nil {
-				return nil, status.Errorf(codes.Internal, "failed to check if runtime class %s is confidential: %v", runtimeClass, err)
+		if d.enableKataCCMount && context[podNameField] != "" && context[podNamespaceField] != "" {
+			enableKataCCMount := d.isKataNode
+			confidentialContainerLabel := getValueInMap(context, confidentialContainerLabelField)
+			if !enableKataCCMount && confidentialContainerLabel != "" {
+				klog.V(2).Infof("NodePublishVolume: checking if node %s is a kata node with confidential container label %s", d.NodeID, confidentialContainerLabel)
+				enableKataCCMount = isKataNode(ctx, d.NodeID, confidentialContainerLabel, d.kubeClient)
 			}
-			if isConfidentialRuntimeClass {
-				klog.V(2).Infof("NodePublishVolume for volume(%s) where runtimeClass is %s", volumeID, runtimeClass)
-				source := req.GetStagingTargetPath()
-				if len(source) == 0 {
-					return nil, status.Error(codes.InvalidArgument, "Staging target not provided")
-				}
-				// Load the mount info from staging area
-				mountInfo, err := d.directVolume.VolumeMountInfo(source)
+
+			if enableKataCCMount {
+				runtimeClass, err := getRuntimeClassForPodFunc(ctx, d.kubeClient, context[podNameField], context[podNamespaceField])
 				if err != nil {
-					return nil, status.Errorf(codes.Internal, "failed to load mount info from %s: %v", source, err)
+					return nil, status.Errorf(codes.Internal, "failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
 				}
-				if mountInfo == nil {
-					return nil, status.Errorf(codes.Internal, "mount info is nil for volume %s", volumeID)
+				klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with runtimeClass %s", volumeID, target, runtimeClass)
+				runtimeClassHandler := getValueInMap(context, runtimeClassHandlerField)
+				if runtimeClassHandler == "" {
+					runtimeClassHandler = defaultRuntimeClassHandler
 				}
-				data, err := json.Marshal(mountInfo)
+				isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.kubeClient, runtimeClass, runtimeClassHandler)
 				if err != nil {
-					return nil, status.Errorf(codes.Internal, "failed to marshal mount info %s: %v", source, err)
+					return nil, status.Errorf(codes.Internal, "failed to check if runtime class %s is confidential: %v", runtimeClass, err)
 				}
-				if err = d.directVolume.Add(target, string(data)); err != nil {
-					return nil, status.Errorf(codes.Internal, "failed to save mount info %s: %v", target, err)
+				if isConfidentialRuntimeClass {
+					klog.V(2).Infof("NodePublishVolume for volume(%s) where runtimeClass is %s", volumeID, runtimeClass)
+					source := req.GetStagingTargetPath()
+					if len(source) == 0 {
+						return nil, status.Error(codes.InvalidArgument, "Staging target not provided")
+					}
+					// Load the mount info from staging area
+					mountInfo, err := d.directVolume.VolumeMountInfo(source)
+					if err != nil {
+						return nil, status.Errorf(codes.Internal, "failed to load mount info from %s: %v", source, err)
+					}
+					if mountInfo == nil {
+						return nil, status.Errorf(codes.Internal, "mount info is nil for volume %s", volumeID)
+					}
+					data, err := json.Marshal(mountInfo)
+					if err != nil {
+						return nil, status.Errorf(codes.Internal, "failed to marshal mount info %s: %v", source, err)
+					}
+					if err = d.directVolume.Add(target, string(data)); err != nil {
+						return nil, status.Errorf(codes.Internal, "failed to save mount info %s: %v", target, err)
+					}
+					klog.V(2).Infof("NodePublishVolume: direct volume mount %s at %s successfully", source, target)
+					return &csi.NodePublishVolumeResponse{}, nil
 				}
-				klog.V(2).Infof("NodePublishVolume: direct volume mount %s at %s successfully", source, target)
-				return &csi.NodePublishVolumeResponse{}, nil
 			}
 		}
 	}