@@ -28,7 +28,6 @@ import (
2828 "k8s.io/klog/v2"
2929
3030 api "k8s.io/api/core/v1"
31- v1 "k8s.io/api/core/v1"
3231 storage "k8s.io/api/storage/v1"
3332 apierrors "k8s.io/apimachinery/pkg/api/errors"
3433 "k8s.io/apimachinery/pkg/types"
@@ -278,30 +277,16 @@ func (c *csiMountMgr) SetUpAt(dir string, mounterArgs volume.MounterArgs) error
278277 klog .V (2 ).Info (log ("error checking for SELinux support: %s" , err ))
279278 }
280279
281- fsGroupFeatureGateEnabled := utilfeature .DefaultFeatureGate .Enabled (features .CSIVolumeFSGroupPolicy )
282- // If the feature gate isn't enabled, then adjust the CSIDriver to use the ReadWriteOnceWithFSTypeFSGroupPolicy
283- // policy. This keeps the default behavior.
284- if ! fsGroupFeatureGateEnabled {
285- c .fsGroupPolicy = storage .ReadWriteOnceWithFSTypeFSGroupPolicy
286- }
287-
288- // If the the FSGroupPolicy isn't NoneFSGroupPolicy, then we should attempt to modify
289- // the fsGroup. At this point the feature gate is enabled, so we should proceed,
290- // or it's disabled, at which point we should evaluate the fstype and pv.AccessMode
291- // and update the fsGroup appropriately.
292- if c .fsGroupPolicy != storage .NoneFSGroupPolicy {
293-
294- // The following logic is derived from https://github.com/kubernetes/kubernetes/issues/66323
295- // if fstype is "", then skip fsgroup (could be indication of non-block filesystem)
296- // if fstype is provided and pv.AccessMode == ReadWriteOnly, then apply fsgroup
297- err = c .applyFSGroup (fsType , mounterArgs .FsGroup , mounterArgs .FSGroupChangePolicy )
280+ if c .supportsFSGroup (fsType , mounterArgs .FsGroup , c .fsGroupPolicy ) {
281+ err := volume .SetVolumeOwnership (c , mounterArgs .FsGroup , mounterArgs .FSGroupChangePolicy )
298282 if err != nil {
299283 // At this point mount operation is successful:
300284 // 1. Since volume can not be used by the pod because of invalid permissions, we must return error
301285 // 2. Since mount is successful, we must record volume as mounted in uncertain state, so it can be
302286 // cleaned up.
303287 return volumetypes .NewUncertainProgressError (fmt .Sprintf ("applyFSGroup failed for vol %s: %v" , c .volumeID , err ))
304288 }
289+ klog .V (4 ).Info (log ("mounter.SetupAt fsGroup [%d] applied successfully to %s" , * mounterArgs .FsGroup , c .volumeID ))
305290 }
306291
307292 klog .V (4 ).Infof (log ("mounter.SetUp successfully requested NodePublish [%s]" , dir ))
@@ -386,48 +371,30 @@ func (c *csiMountMgr) TearDownAt(dir string) error {
386371 return nil
387372}
388373
389- // applyFSGroup applies the volume ownership it derives its logic
390- // from https://github.com/kubernetes/kubernetes/issues/66323
391- // 1) if fstype is "", then skip fsgroup (could be indication of non-block filesystem)
392- // 2) if fstype is provided and pv.AccessMode == ReadWriteOnly and !c.spec.ReadOnly then apply fsgroup
393- func (c * csiMountMgr ) applyFSGroup (fsType string , fsGroup * int64 , fsGroupChangePolicy * v1.PodFSGroupChangePolicy ) error {
394- if c .fsGroupPolicy == storage .FileFSGroupPolicy || fsGroup != nil {
395-
396- // If the FSGroupPolicy is ReadWriteOnceWithFSTypeFSGroupPolicy perform additional checks
397- // to determine if we should proceed with modifying the fsGroup.
398- if c .fsGroupPolicy == storage .ReadWriteOnceWithFSTypeFSGroupPolicy {
399- if fsType == "" {
400- klog .V (4 ).Info (log ("mounter.SetupAt WARNING: skipping fsGroup, fsType not provided" ))
401- return nil
402- }
403-
404- accessModes := c .spec .PersistentVolume .Spec .AccessModes
405- if c .spec .PersistentVolume .Spec .AccessModes == nil {
406- klog .V (4 ).Info (log ("mounter.SetupAt WARNING: skipping fsGroup, access modes not provided" ))
407- return nil
408- }
409- if ! hasReadWriteOnce (accessModes ) {
410- klog .V (4 ).Info (log ("mounter.SetupAt WARNING: skipping fsGroup, only support ReadWriteOnce access mode" ))
411- return nil
412- }
413-
414- if c .readOnly {
415- klog .V (4 ).Info (log ("mounter.SetupAt WARNING: skipping fsGroup, volume is readOnly" ))
416- return nil
417- }
418- }
374+ func (c * csiMountMgr ) supportsFSGroup (fsType string , fsGroup * int64 , driverPolicy storage.FSGroupPolicy ) bool {
375+ if fsGroup == nil || driverPolicy == storage .NoneFSGroupPolicy || c .readOnly {
376+ return false
377+ }
419378
420- err := volume .SetVolumeOwnership (c , fsGroup , fsGroupChangePolicy )
421- if err != nil {
422- return err
423- }
379+ if driverPolicy == storage .FileFSGroupPolicy {
380+ return true
381+ }
424382
425- if fsGroup != nil {
426- klog .V (4 ).Info (log ("mounter.SetupAt fsGroup [%d] applied successfully to %s" , * fsGroup , c . volumeID ))
427- }
383+ if fsType == "" {
384+ klog .V (4 ).Info (log ("mounter.SetupAt WARNING: skipping fsGroup, fsType not provided" ))
385+ return false
428386 }
429387
430- return nil
388+ accessModes := c .spec .PersistentVolume .Spec .AccessModes
389+ if c .spec .PersistentVolume .Spec .AccessModes == nil {
390+ klog .V (4 ).Info (log ("mounter.SetupAt WARNING: skipping fsGroup, access modes not provided" ))
391+ return false
392+ }
393+ if ! hasReadWriteOnce (accessModes ) {
394+ klog .V (4 ).Info (log ("mounter.SetupAt WARNING: skipping fsGroup, only support ReadWriteOnce access mode" ))
395+ return false
396+ }
397+ return true
431398}
432399
433400// isDirMounted returns the !notMounted result from IsLikelyNotMountPoint check
0 commit comments