fix: respect ReadOnly AccessMode in volume mount

andyzhangx · andyzhangx · commit dd86e428f45a · 2024-08-03T06:55:52.000Z
fix
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -1099,3 +1099,12 @@ func isSupportedFSGroupChangePolicy(policy string) bool {
 	}
 	return false
 }
+
+func isReadOnlyFromCapability(vc *csi.VolumeCapability) bool {
+	if vc.GetAccessMode() == nil {
+		return false
+	}
+	mode := vc.GetAccessMode().GetMode()
+	return (mode == csi.VolumeCapability_AccessMode_MULTI_NODE_READER_ONLY ||
+		mode == csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY)
+}
diff --git a/pkg/blob/blob_test.go b/pkg/blob/blob_test.go
@@ -29,6 +29,7 @@ import (
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
+	"github.com/container-storage-interface/spec/lib/go/csi"
 	"github.com/stretchr/testify/assert"
 	"go.uber.org/mock/gomock"
 	"golang.org/x/sync/errgroup"
@@ -1822,3 +1823,59 @@ func TestIsSupportedFSGroupChangePolicy(t *testing.T) {
 		}
 	}
 }
+
+func TestIsReadOnlyFromCapability(t *testing.T) {
+	testCases := []struct {
+		name           string
+		vc             *csi.VolumeCapability
+		expectedResult bool
+	}{
+		{
+			name:           "false with empty capabilities",
+			vc:             &csi.VolumeCapability{},
+			expectedResult: false,
+		},
+		{
+			name: "fail with capabilities no access mode",
+			vc: &csi.VolumeCapability{
+				AccessType: &csi.VolumeCapability_Mount{
+					Mount: &csi.VolumeCapability_MountVolume{},
+				},
+			},
+		},
+		{
+			name: "false with SINGLE_NODE_WRITER capabilities",
+			vc: &csi.VolumeCapability{
+				AccessMode: &csi.VolumeCapability_AccessMode{
+					Mode: csi.VolumeCapability_AccessMode_SINGLE_NODE_WRITER,
+				},
+			},
+			expectedResult: false,
+		},
+		{
+			name: "true with MULTI_NODE_READER_ONLY capabilities",
+			vc: &csi.VolumeCapability{
+				AccessMode: &csi.VolumeCapability_AccessMode{
+					Mode: csi.VolumeCapability_AccessMode_MULTI_NODE_READER_ONLY,
+				},
+			},
+			expectedResult: true,
+		},
+		{
+			name: "true with SINGLE_NODE_READER_ONLY capabilities",
+			vc: &csi.VolumeCapability{
+				AccessMode: &csi.VolumeCapability_AccessMode{
+					Mode: csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY,
+				},
+			},
+			expectedResult: true,
+		},
+	}
+
+	for _, test := range testCases {
+		result := isReadOnlyFromCapability(test.vc)
+		if result != test.expectedResult {
+			t.Errorf("case(%s): isReadOnlyFromCapability returned with %v, not equal to %v", test.name, result, test.expectedResult)
+		}
+	}
+}
diff --git a/pkg/blob/nodeserver.go b/pkg/blob/nodeserver.go
@@ -248,6 +248,11 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 	defer d.volumeLocks.Release(lockKey)
 
 	mountFlags := req.GetVolumeCapability().GetMount().GetMountFlags()
+	if isReadOnlyFromCapability(volumeCapability) {
+		mountFlags = append(mountFlags, "ro")
+		klog.V(2).Infof("CSI volume is read-only, mounting with extra option ro")
+	}
+
 	volumeMountGroup := req.GetVolumeCapability().GetMount().GetVolumeMountGroup()
 	attrib := req.GetVolumeContext()
 	secrets := req.GetSecrets()

Original file line number	Diff line number	Diff line change
`@@ -1099,3 +1099,12 @@ func isSupportedFSGroupChangePolicy(policy string) bool {`
`1099`	`1099`	`}`
`1100`	`1100`	`return false`
`1101`	`1101`	`}`
	`1102`	`+`
	`1103`	`+func isReadOnlyFromCapability(vc *csi.VolumeCapability) bool {`
	`1104`	`+ if vc.GetAccessMode() == nil {`
	`1105`	`+ return false`
	`1106`	`+ }`
	`1107`	`+ mode := vc.GetAccessMode().GetMode()`
	`1108`	`+ return (mode == csi.VolumeCapability_AccessMode_MULTI_NODE_READER_ONLY \|\|`
	`1109`	`+ mode == csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY)`
	`1110`	`+}`