Merge pull request #2679 from kubernetes-sigs/kata-extensible

chore: make runtimeClassHandler and confidentialContainerLabel configurable

Author: andyzhangx

pkg/azurefile/azurefile.go

@@ -162,7 +162,10 @@ const (
 	premium                           = "premium"
 	selectRandomMatchingAccountField  = "selectrandommatchingaccount"
 	accountQuotaField                 = "accountquota"
-	defaultKataCCLabel                = "kubernetes.azure.com/kata-cc-isolation"
+	confidentialContainerLabelField   = "confidentialcontainerlabel"
+	defaultConfidentialContainerLabel = "kubernetes.azure.com/kata-cc-isolation"
+	runtimeClassHandlerField          = "runtimeclasshandler"
+	defaultRuntimeClassHandler        = "kata-cc"
 
 	accountNotProvisioned = "StorageAccountIsNotProvisioned"
 	// this is a workaround fix for 429 throttling issue, will update cloud provider for better fix later
@@ -470,7 +473,7 @@ func (d *Driver) Run(ctx context.Context) error {
 	csi.RegisterControllerServer(server, d)
 	csi.RegisterNodeServer(server, d)
 	d.server = server
-	d.isKataNode = isKataNode(ctx, d.NodeID, d.kubeClient)
+	d.isKataNode = isKataNode(ctx, d.NodeID, defaultConfidentialContainerLabel, d.kubeClient)
 
 	listener, err := csicommon.ListenEndpoint(ctx, d.endpoint)
 	if err != nil {
@@ -1343,7 +1346,7 @@ func (d *Driver) getFileShareClientForSub(subscriptionID string) (fileshareclien
 	return d.cloud.ComputeClientFactory.GetFileShareClientForSub(subscriptionID)
 }
 
-func isKataNode(ctx context.Context, nodeID string, kubeClient clientset.Interface) bool {
+func isKataNode(ctx context.Context, nodeID, confidentialContainerLabel string, kubeClient clientset.Interface) bool {
 	if nodeID == "" {
 		return false
 	}
@@ -1364,7 +1367,7 @@ func isKataNode(ctx context.Context, nodeID string, kubeClient clientset.Interfa
 	}
 
 	// Check for the kata isolation labels
-	if _, ok := node.Labels[defaultKataCCLabel]; !ok {
+	if _, ok := node.Labels[confidentialContainerLabel]; !ok {
 		return false
 	}
 	klog.V(4).Infof("node(%s) is a kata node with labels: %v", nodeID, node.Labels)

pkg/azurefile/azurefile_test.go

@@ -1675,7 +1675,7 @@ func TestIsKataNode(t *testing.T) {
 			nodeName:    "test-node",
 			setupClient: true,
 			labels: map[string]string{
-				defaultKataCCLabel: "",
+				defaultConfidentialContainerLabel: "",
 			},
 			expected: true,
 		},
@@ -1684,7 +1684,7 @@ func TestIsKataNode(t *testing.T) {
 			nodeName:    "test-node",
 			setupClient: true,
 			labels: map[string]string{
-				defaultKataCCLabel: "test",
+				defaultConfidentialContainerLabel:             "test",
 				"kubernetes.azure.com/kata-mshv-vm-isolation": "true",
 				"katacontainers.io/kata-runtime":              "true",
 			},
@@ -1711,7 +1711,7 @@ func TestIsKataNode(t *testing.T) {
 				_, err := clientset.CoreV1().Nodes().Create(ctx, node, metav1.CreateOptions{})
 				assert.NoError(t, err)
 			}
-			result := isKataNode(ctx, tc.nodeName, clientset)
+			result := isKataNode(ctx, tc.nodeName, defaultConfidentialContainerLabel, clientset)
 			assert.Equal(t, tc.expected, result)
 		})
 	}

pkg/azurefile/controllerserver.go

@@ -226,10 +226,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		case pvNameKey:
 			fileShareNameReplaceMap[pvNameMetadata] = v
 		case serverNameField:
-			// no op, only used in NodeStageVolume
 		case folderNameField:
-			// no op, only used in NodeStageVolume
 		case clientIDField:
+		case confidentialContainerLabelField:
+		case runtimeClassHandlerField:
 			// no op, only used in NodeStageVolume
 		case fsGroupChangePolicyField:
 			fsGroupChangePolicy = v

pkg/azurefile/controllerserver_test.go

@@ -906,22 +906,24 @@ var _ = ginkgo.Describe("TestCreateVolume", func() {
 				}
 
 				allParam := map[string]string{
-					skuNameField:              "premium",
-					storageAccountTypeField:   "stoacctype",
-					locationField:             "loc",
-					storageAccountField:       "stoacc",
-					resourceGroupField:        "rg",
-					shareNameField:            "",
-					diskNameField:             "diskname.vhd",
-					fsTypeField:               "",
-					storeAccountKeyField:      "storeaccountkey",
-					secretNamespaceField:      "default",
-					mountPermissionsField:     "0755",
-					accountQuotaField:         "1000",
-					useDataPlaneAPIField:      "oauth",
-					clientIDField:             "client-id",
-					provisionedBandwidthField: "100",
-					provisionedIopsField:      "800",
+					skuNameField:                    "premium",
+					storageAccountTypeField:         "stoacctype",
+					locationField:                   "loc",
+					storageAccountField:             "stoacc",
+					resourceGroupField:              "rg",
+					shareNameField:                  "",
+					diskNameField:                   "diskname.vhd",
+					fsTypeField:                     "",
+					storeAccountKeyField:            "storeaccountkey",
+					secretNamespaceField:            "default",
+					mountPermissionsField:           "0755",
+					accountQuotaField:               "1000",
+					useDataPlaneAPIField:            "oauth",
+					clientIDField:                   "client-id",
+					provisionedBandwidthField:       "100",
+					provisionedIopsField:            "800",
+					runtimeClassHandlerField:        "runtime-handler",
+					confidentialContainerLabelField: "confidential-container-label",
 				}
 
 				req := &csi.CreateVolumeRequest{

pkg/azurefile/nodeserver.go

@@ -113,40 +113,52 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 			}
 		}
 
-		enableKataCCMount := d.isKataNode && d.enableKataCCMount
-		if enableKataCCMount && context[podNameField] != "" && context[podNamespaceField] != "" {
-			runtimeClass, err := getRuntimeClassForPodFunc(ctx, d.kubeClient, context[podNameField], context[podNamespaceField])
-			if err != nil {
-				return nil, status.Errorf(codes.Internal, "failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
-			}
-			klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with runtimeClass %s", volumeID, target, runtimeClass)
-			isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.kubeClient, runtimeClass)
-			if err != nil {
-				return nil, status.Errorf(codes.Internal, "failed to check if runtime class %s is confidential: %v", runtimeClass, err)
+		if d.enableKataCCMount && context[podNameField] != "" && context[podNamespaceField] != "" {
+			enableKataCCMount := d.isKataNode
+			confidentialContainerLabel := getValueInMap(context, confidentialContainerLabelField)
+			if !enableKataCCMount && confidentialContainerLabel != "" {
+				klog.V(2).Infof("NodePublishVolume: checking if node %s is a kata node with confidential container label %s", d.NodeID, confidentialContainerLabel)
+				enableKataCCMount = isKataNode(ctx, d.NodeID, confidentialContainerLabel, d.kubeClient)
 			}
-			if isConfidentialRuntimeClass {
-				klog.V(2).Infof("NodePublishVolume for volume(%s) where runtimeClass is %s", volumeID, runtimeClass)
-				source := req.GetStagingTargetPath()
-				if len(source) == 0 {
-					return nil, status.Error(codes.InvalidArgument, "Staging target not provided")
-				}
-				// Load the mount info from staging area
-				mountInfo, err := d.directVolume.VolumeMountInfo(source)
+
+			if enableKataCCMount {
+				runtimeClass, err := getRuntimeClassForPodFunc(ctx, d.kubeClient, context[podNameField], context[podNamespaceField])
 				if err != nil {
-					return nil, status.Errorf(codes.Internal, "failed to load mount info from %s: %v", source, err)
+					return nil, status.Errorf(codes.Internal, "failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
 				}
-				if mountInfo == nil {
-					return nil, status.Errorf(codes.Internal, "mount info is nil for volume %s", volumeID)
+				klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with runtimeClass %s", volumeID, target, runtimeClass)
+				runtimeClassHandler := getValueInMap(context, runtimeClassHandlerField)
+				if runtimeClassHandler == "" {
+					runtimeClassHandler = defaultRuntimeClassHandler
 				}
-				data, err := json.Marshal(mountInfo)
+				isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.kubeClient, runtimeClass, runtimeClassHandler)
 				if err != nil {
-					return nil, status.Errorf(codes.Internal, "failed to marshal mount info %s: %v", source, err)
+					return nil, status.Errorf(codes.Internal, "failed to check if runtime class %s is confidential: %v", runtimeClass, err)
 				}
-				if err = d.directVolume.Add(target, string(data)); err != nil {
-					return nil, status.Errorf(codes.Internal, "failed to save mount info %s: %v", target, err)
+				if isConfidentialRuntimeClass {
+					klog.V(2).Infof("NodePublishVolume for volume(%s) where runtimeClass is %s", volumeID, runtimeClass)
+					source := req.GetStagingTargetPath()
+					if len(source) == 0 {
+						return nil, status.Error(codes.InvalidArgument, "Staging target not provided")
+					}
+					// Load the mount info from staging area
+					mountInfo, err := d.directVolume.VolumeMountInfo(source)
+					if err != nil {
+						return nil, status.Errorf(codes.Internal, "failed to load mount info from %s: %v", source, err)
+					}
+					if mountInfo == nil {
+						return nil, status.Errorf(codes.Internal, "mount info is nil for volume %s", volumeID)
+					}
+					data, err := json.Marshal(mountInfo)
+					if err != nil {
+						return nil, status.Errorf(codes.Internal, "failed to marshal mount info %s: %v", source, err)
+					}
+					if err = d.directVolume.Add(target, string(data)); err != nil {
+						return nil, status.Errorf(codes.Internal, "failed to save mount info %s: %v", target, err)
+					}
+					klog.V(2).Infof("NodePublishVolume: direct volume mount %s at %s successfully", source, target)
+					return &csi.NodePublishVolumeResponse{}, nil
 				}
-				klog.V(2).Infof("NodePublishVolume: direct volume mount %s at %s successfully", source, target)
-				return &csi.NodePublishVolumeResponse{}, nil
 			}
 		}
 	}

pkg/azurefile/nodeserver_test.go

@@ -117,7 +117,7 @@ func mockGetRuntimeClassForPod(_ context.Context, _ clientset.Interface, _, _ st
 	return "mockRuntimeClass", nil
 }
 
-func mockIsConfidentialRuntimeClass(_ context.Context, _ clientset.Interface, _ string) (bool, error) {
+func mockIsConfidentialRuntimeClass(_ context.Context, _ clientset.Interface, _ string, _ string) (bool, error) {
 	return true, nil
 }
 

pkg/azurefile/utils.go

@@ -319,10 +319,8 @@ func isReadOnlyFromCapability(vc *csi.VolumeCapability) bool {
 		mode == csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY)
 }
 
-const confidentialRuntimeClassHandler = "kata-cc"
-
 // check if runtimeClass is confidential
-func isConfidentialRuntimeClass(ctx context.Context, kubeClient clientset.Interface, runtimeClassName string) (bool, error) {
+func isConfidentialRuntimeClass(ctx context.Context, kubeClient clientset.Interface, runtimeClassName, runtimeClassHandler string) (bool, error) {
 	// if runtimeClassName is empty, return false
 	if runtimeClassName == "" {
 		return false, nil
@@ -336,7 +334,7 @@ func isConfidentialRuntimeClass(ctx context.Context, kubeClient clientset.Interf
 		return false, err
 	}
 	klog.V(4).Infof("runtimeClass %s handler: %s", runtimeClassName, runtimeClass.Handler)
-	return runtimeClass.Handler == confidentialRuntimeClassHandler, nil
+	return runtimeClass.Handler == runtimeClassHandler, nil
 }
 
 // getBackOff returns a backoff object based on the config

pkg/azurefile/utils_test.go

@@ -806,7 +806,7 @@ func TestIsConfidentialRuntimeClass(t *testing.T) {
 	ctx := context.TODO()
 
 	// Test the case where kubeClient is nil
-	_, err := isConfidentialRuntimeClass(ctx, nil, "test-runtime-class")
+	_, err := isConfidentialRuntimeClass(ctx, nil, "test-runtime-class", defaultRuntimeClassHandler)
 	if err == nil || err.Error() != "kubeClient is nil" {
 		t.Fatalf("expected error 'kubeClient is nil', got %v", err)
 	}
@@ -819,14 +819,14 @@ func TestIsConfidentialRuntimeClass(t *testing.T) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-runtime-class",
 		},
-		Handler: confidentialRuntimeClassHandler,
+		Handler: defaultRuntimeClassHandler,
 	}
 	_, err = clientset.NodeV1().RuntimeClasses().Create(ctx, runtimeClass, metav1.CreateOptions{})
 	if err != nil {
 		t.Fatalf("expected no error, got %v", err)
 	}
 
-	isConfidential, err := isConfidentialRuntimeClass(ctx, clientset, "test-runtime-class")
+	isConfidential, err := isConfidentialRuntimeClass(ctx, clientset, "test-runtime-class", defaultRuntimeClassHandler)
 	if err != nil {
 		t.Fatalf("expected no error, got %v", err)
 	}
@@ -847,7 +847,7 @@ func TestIsConfidentialRuntimeClass(t *testing.T) {
 		t.Fatalf("expected no error, got %v", err)
 	}
 
-	isConfidential, err = isConfidentialRuntimeClass(ctx, clientset, "test-runtime-class-non-confidential")
+	isConfidential, err = isConfidentialRuntimeClass(ctx, clientset, "test-runtime-class-non-confidential", defaultRuntimeClassHandler)
 	if err != nil {
 		t.Fatalf("expected no error, got %v", err)
 	}
@@ -857,7 +857,7 @@ func TestIsConfidentialRuntimeClass(t *testing.T) {
 	}
 
 	// Test the case where the runtime class does not exist
-	_, err = isConfidentialRuntimeClass(ctx, clientset, "nonexistent-runtime-class")
+	_, err = isConfidentialRuntimeClass(ctx, clientset, "nonexistent-runtime-class", defaultRuntimeClassHandler)
 	if err == nil {
 		t.Fatalf("expected an error, got nil")
 	}