Fix #8 - uses fsGroup from the pod securityContext

juliohm1978 · Nov 5, 2019 · 4e2570b · 4e2570b
1 parent 758bc8c
commit 4e2570b
Show file tree

Hide file tree

Showing 3 changed files with 90 additions and 15 deletions.
diff --git a/Makefile b/Makefile
@@ -1,5 +1,5 @@
 TAGNAME = juliohm/kubernetes-cifs-volumedriver-installer
-VERSION = 0.4
+VERSION = 0.5-beta
 
 build: Dockerfile
 	docker build -t $(TAGNAME):$(VERSION) .

diff --git a/README.md b/README.md
@@ -11,6 +11,8 @@ It has been tested under Kubernetes versions:
 * 1.12.x
 * 1.13.x
 * 1.14.x
+* 1.15.x
+* 1.16.x
 
 ## Pre-requisites
 
@@ -114,6 +116,69 @@ metadata:
 type: juliohm/cifs
 ```
 
+## Using `securityContext` to inform uid/gid parameters
+
+Starting at version 0.5, the driver will also accept values coming from the Pod's `securityContext`.
+
+For example, consider the following Deployment:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx
+        ports:
+        - containerPort: 80
+        volumeMounts:
+          - name: test
+            mountPath: /dados
+      securityContext:
+        runAsUser: 33
+        runAsGroup: 33
+        fsGroup: 33
+      volumes:
+        - name: test
+          persistentVolumeClaim:
+            claimName: test-claim
+```
+
+... which defines a `securityContext`.
+
+```yaml
+      securityContext:
+        runAsUser: 33
+        runAsGroup: 33
+        fsGroup: 33
+```
+
+The value of `fsGroup` is passed to the volume driver, but previous version would ignore that. It is now used to construct `uid` and `gid` parameters for the mount command.
+
+If you are using versions older than 0.5, you can still workaround by including these values in the `spec.flexVolume.options.opts` field of the PersistentVolume.
+
+```yaml
+## PV spec
+spec:
+  flexVolume:
+    driver: juliohm/cifs
+    options:
+      opts: domain=Foo,uid=33,gid=33
+```
+
 ## Notes Failures and Known Issues
 
 For most issues reported until now, the root cause was not related to the driver itself. Understanding what's happening at runtime can be challenging.

diff --git a/juliohm~cifs/cifs b/juliohm~cifs/cifs
@@ -1,20 +1,19 @@
 #!/bin/bash
 
 # Example of a json payload received by this script (k8s 1.8)
-#		{
-#			"kubernetes.io/fsType": "cifs",
-#			"kubernetes.io/pod.name": "testcifs-node0",
-#			"kubernetes.io/pod.namespace": "default",
-#			"kubernetes.io/pod.uid": "91d86beda23229b4a609a39d936c5690",
-#			"kubernetes.io/pvOrVolumeName": "test",
-#			"kubernetes.io/readwrite": "rw",
-#			"kubernetes.io/secret/password": "***",
-#			"kubernetes.io/secret/username": "***",
-#			"kubernetes.io/serviceAccount.name": "",
-#			"opts": "sec=ntlm,uid=106",
-#			"server": "my-cifs-host",
-#			"share": "/MySharedDirectory"
-#		}
+# {
+#   "kubernetes.io/fsType": "",
+#   "kubernetes.io/mounterArgs.FsGroup": "33",
+#   "kubernetes.io/pod.name": "nginx-deployment-549ddfb5fc-rnqk8",
+#   "kubernetes.io/pod.namespace": "default",
+#   "kubernetes.io/pod.uid": "bb6b2e46-c80d-4c86-920c-8e08736fa211",
+#   "kubernetes.io/pvOrVolumeName": "test-volume",
+#   "kubernetes.io/readwrite": "rw",
+#   "kubernetes.io/serviceAccount.name": "default",
+#   "opts": "domain=Foo",
+#   "server": "fooserver123",
+#   "share": "/test"
+# }
 
 usage() {
   err "Invalid usage. Usage: "
@@ -49,13 +48,17 @@ ismounted() {
 domount() {
   MNTPATH=$1
 
+  # testing with minikube
+  # echo "$2" | jq '.' > /hosthome/juliohm/workspace/github/kubernetes-cifs-volumedriver/asdf.json
+
   CIFS_SERVER=$(echo $2 | jq -r '.server')
   CIFS_SHARE=$(echo $2 | jq -r '.share')
   PODID=$(echo $2 | jq -r '.["kubernetes.io/pod.uid"] // empty')
   DOMAIN=$(echo $2 | jq -r '.["kubernetes.io/secret/domain"] // empty' | base64 -d)
   PASSWORD=$(echo $2 | jq -r '.["kubernetes.io/secret/password"] // empty' | base64 -d)
   USERNAME=$(echo $2 | jq -r '.["kubernetes.io/secret/username"] // empty' | base64 -d)
   READWRITE=$(echo $2 | jq -r '.["kubernetes.io/readwrite"] // empty')
+  FSGROUP=$(echo $2 | jq -r '.["kubernetes.io/mounterArgs.FsGroup"] // empty')
   OPTS=$(echo $2 | jq -r '.opts')
 
   if [[ "$READWRITE" == "" ]]; then
@@ -72,6 +75,10 @@ domount() {
     FINALOPTS="$FINALOPTS,$OPTS,$READWRITE"
   fi
 
+  if [[ "$FSGROUP" != "" && "$FSGROUP" != "null" ]]; then
+    FINALOPTS="$FINALOPTS,uid=$FSGROUP,gid=$FSGROUP"
+  fi
+
   if [ $(ismounted) -eq 1 ] ; then
     log '{"status": "Success"}'
     exit 0
@@ -90,6 +97,9 @@ domount() {
           echo "password=$PASSWORD" >> /tmp/temporary.$PODID.tmp
   fi
 
+  # testing with minikube
+  # echo "mount -t cifs -o $FINALOPTS \"//$CIFS_SERVER$CIFS_SHARE\" \"$MNTPATH\" &> /dev/null" > /hosthome/juliohm/workspace/github/kubernetes-cifs-volumedriver/asdf.mount
+
   mount -t cifs -o $FINALOPTS "//$CIFS_SERVER$CIFS_SHARE" "$MNTPATH" &> /dev/null
   R=$?
   rm -fr /tmp/temporary.$PODID.tmp