|
| 1 | +--- |
| 2 | +layout: blog |
| 3 | +title: "Kubernetes 1.26: 支持在挂载时将 Pod fsGroup 传递给 CSI 驱动程序" |
| 4 | +date: 2022-12-23 |
| 5 | +slug: kubernetes-12-06-fsgroup-on-mount |
| 6 | +--- |
| 7 | + |
| 8 | +<!-- |
| 9 | +layout: blog |
| 10 | +title: "Kubernetes 1.26: Support for Passing Pod fsGroup to CSI Drivers At Mount Time" |
| 11 | +date: 2022-12-23 |
| 12 | +slug: kubernetes-12-06-fsgroup-on-mount |
| 13 | +--> |
| 14 | + |
| 15 | +<!-- |
| 16 | +**Authors:** Fabio Bertinatto (Red Hat), Hemant Kumar (Red Hat) |
| 17 | +--> |
| 18 | +**作者:** Fabio Bertinatto (Red Hat), Hemant Kumar (Red Hat) |
| 19 | + |
| 20 | +**译者:** Xin Li (DaoCloud) |
| 21 | + |
| 22 | +<!-- |
| 23 | +Delegation of `fsGroup` to CSI drivers was first introduced as alpha in Kubernetes 1.22, |
| 24 | +and graduated to beta in Kubernetes 1.25. |
| 25 | +For Kubernetes 1.26, we are happy to announce that this feature has graduated to |
| 26 | +General Availability (GA). |
| 27 | +
|
| 28 | +In this release, if you specify a `fsGroup` in the |
| 29 | +[security context](/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod), |
| 30 | +for a (Linux) Pod, all processes in the pod's containers are part of the additional group |
| 31 | +that you specified. |
| 32 | +--> |
| 33 | +将 `fsGroup` 委托给 CSI 驱动程序管理首先在 Kubernetes 1.22 中作为 Alpha 特性引入, |
| 34 | +并在 Kubernetes 1.25 中进阶至 Beta 状态。 |
| 35 | +对于 Kubernetes 1.26,我们很高兴地宣布此特性已进阶至正式发布(GA)状态。 |
| 36 | + |
| 37 | +在此版本中,如果你在 Pod(Linux) |
| 38 | +的[安全上下文](/zh-cn/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)中指定一个 `fsGroup`, |
| 39 | +则该 Pod 容器中的所有进程都是该附加组的一部分。 |
| 40 | + |
| 41 | +<!-- |
| 42 | +In previous Kubernetes releases, the kubelet would *always* apply the |
| 43 | +`fsGroup` ownership and permission changes to files in the volume according to the policy |
| 44 | +you specified in the Pod's `.spec.securityContext.fsGroupChangePolicy` field. |
| 45 | +
|
| 46 | +Starting with Kubernetes 1.26, CSI drivers have the option to apply the `fsGroup` settings during |
| 47 | +volume mount time, which frees the kubelet from changing the permissions of files and directories |
| 48 | +in those volumes. |
| 49 | +--> |
| 50 | +在以前的 Kubernetes 版本中,kubelet **总是**根据 Pod 的 |
| 51 | +`.spec.securityContext.fsGroupChangePolicy` 字段中指定的策略, |
| 52 | +将 `fsGroup` 属主关系和权限的更改应用于卷中的文件。 |
| 53 | + |
| 54 | +从 Kubernetes 1.26 开始,CSI 驱动程序可以选择在卷挂载期间应用 `fsGroup` 设置, |
| 55 | +这使 kubelet 无需更改这些卷中文件和目录的权限。 |
| 56 | + |
| 57 | +<!-- |
| 58 | +## How does it work? |
| 59 | +
|
| 60 | +CSI drivers that support this feature should advertise the |
| 61 | +[`VOLUME_MOUNT_GROUP`](https://github.com/container-storage-interface/spec/blob/master/spec.md#nodegetcapabilities) node capability. |
| 62 | +--> |
| 63 | +## 它是如何工作的? |
| 64 | + |
| 65 | +支持此功能的 CSI 驱动程序应通告其 `VOLUME_MOUNT_GROUP` 节点能力。 |
| 66 | + |
| 67 | +<!-- |
| 68 | +After recognizing this information, the kubelet passes the `fsGroup` information to |
| 69 | +the CSI driver during pod startup. This is done through the |
| 70 | +[`NodeStageVolumeRequest`](https://github.com/container-storage-interface/spec/blob/v1.7.0/spec.md#nodestagevolume) and |
| 71 | +[`NodePublishVolumeRequest`](https://github.com/container-storage-interface/spec/blob/v1.7.0/spec.md#nodepublishvolume) |
| 72 | +CSI calls. |
| 73 | +
|
| 74 | +Consequently, the CSI driver is expected to apply the `fsGroup` to the files in the volume using a |
| 75 | +_mount option_. As an example, [Azure File CSIDriver](https://github.com/kubernetes-sigs/azurefile-csi-driver) utilizes the `gid` mount option to map |
| 76 | +the `fsGroup` information to all the files in the volume. |
| 77 | +--> |
| 78 | +kubelet 识别此信息后,在 Pod 启动期间将 fsGroup 信息传递给 CSI 驱动程序。 |
| 79 | +这个过程是通过 [`NodeStageVolumeRequest`](https://github.com/container-storage-interface/spec/blob/v1.7.0/spec.md#nodestagevolume) |
| 80 | +和 [`NodePublishVolumeRequest`](https://github.com/container-storage-interface/spec/blob/v1.7.0/spec.md#nodepublishvolume) |
| 81 | +CSI 调用完成的。 |
| 82 | + |
| 83 | +因此,CSI 驱动程序应使用**挂载选项**将 `fsGroup` 应用到卷中的文件上。 |
| 84 | +例如,[Azure File CSIDriver](https://github.com/kubernetes-sigs/azurefile-csi-driver) |
| 85 | +利用 `gid` 挂载选项将 `fsGroup` 信息映射到卷中的所有文件。 |
| 86 | + |
| 87 | +<!-- |
| 88 | +It should be noted that in the example above the kubelet refrains from directly |
| 89 | +applying the permission changes into the files and directories in that volume files. |
| 90 | +Additionally, two policy definitions no longer have an effect: neither |
| 91 | +`.spec.fsGroupPolicy` for the CSIDriver object, nor |
| 92 | +`.spec.securityContext.fsGroupChangePolicy` for the Pod. |
| 93 | +
|
| 94 | +For more details about the inner workings of this feature, check out the |
| 95 | +[enhancement proposal](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/2317-fsgroup-on-mount/) |
| 96 | +and the [CSI Driver `fsGroup` Support](https://kubernetes-csi.github.io/docs/support-fsgroup.html) |
| 97 | +in the CSI developer documentation. |
| 98 | +--> |
| 99 | +应该注意的是,在上面的示例中,kubelet 避免直接将权限更改应用于该卷文件中的文件和目录。 |
| 100 | +此外,有两个策略定义不再有效:CSIDriver 对象的 `.spec.fsGroupPolicy` 和 |
| 101 | +Pod 的 `.spec.securityContext.fsGroupChangePolicy` 都不再起作用。 |
| 102 | + |
| 103 | +有关此功能内部工作原理的更多详细信息,请查看 CSI |
| 104 | +开发人员文档中的[增强建议](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/2317-fsgroup-on-mount/)和 |
| 105 | +[CSI 驱动程序 `fsGroup` 支持](https://kubernetes-csi.github.io/docs/support-fsgroup.html)。 |
| 106 | + |
| 107 | +<!-- |
| 108 | +## Why is it important? |
| 109 | +
|
| 110 | +Without this feature, applying the fsGroup information to files is not possible in certain storage environments. |
| 111 | +
|
| 112 | +For instance, Azure File does not support a concept of POSIX-style ownership and permissions |
| 113 | +of files. The CSI driver is only able to set the file permissions at the volume level. |
| 114 | +--> |
| 115 | +## 这一特性为何重要? |
| 116 | + |
| 117 | +如果没有此功能,则无法在某些存储环境中将 fsGroup 信息应用于文件。 |
| 118 | + |
| 119 | +例如,Azure 文件不支持 POSIX 风格的文件所有权和权限概念,CSI 驱动程序只能在卷级别设置文件权限。 |
| 120 | + |
| 121 | +<!-- |
| 122 | +## How do I use it? |
| 123 | +
|
| 124 | +This feature should be mostly transparent to users. If you maintain a CSI driver that should |
| 125 | +support this feature, read |
| 126 | +[CSI Driver `fsGroup` Support](https://kubernetes-csi.github.io/docs/support-fsgroup.html) |
| 127 | +for more information on how to support this feature in your CSI driver. |
| 128 | +
|
| 129 | +Existing CSI drivers that do not support this feature will continue to work as usual: |
| 130 | +they will not receive any `fsGroup` information from the kubelet. In addition to that, |
| 131 | +the kubelet will continue to perform the ownership and permissions changes to files |
| 132 | +for those volumes, according to the policies specified in `.spec.fsGroupPolicy` for the |
| 133 | +CSIDriver and `.spec.securityContext.fsGroupChangePolicy` for the relevant Pod. |
| 134 | +--> |
| 135 | +## 我该如何使用它? |
| 136 | + |
| 137 | +此功能应该对用户基本透明。如果你维护应支持此功能的 CSI 驱动程序, |
| 138 | +请阅读 [CSI 驱动程序 `fsGroup` 支持](https://kubernetes-csi.github.io/docs/support-fsgroup.html) |
| 139 | +以获取有关如何在你的 CSI 驱动程序中支持此功能的更多信息。 |
| 140 | + |
| 141 | +不支持此功能的现有 CSI 驱动程序将继续照常工作:他们不会从 kubelet 收到任何 |
| 142 | +`fsGroup` 信息。除此之外,kubelet 将根据 CSIDriver 的 |
| 143 | +`.spec.fsGroupPolicy` 和相关 Pod 的 `.spec.securityContext.fsGroupChangePolicy` |
| 144 | +中指定的策略,继续对这些卷中文件的属主关系和权限进行更改。 |
0 commit comments