FSGroup
Manage FSGroup Using Pod Security Context and CSI Driver Spec
We can manage permission change of volume using fsGroup. This helps non-root process to access the volume. CSI driver spec and Pod security context help us on when to apply permission change using fsGroup.
External Links Describing this Feature
Implementation Details
Volume ownership and permission are managed by kubelet. To mount CSI volume kubelet calls NodePublishVolume implemented by SP, after successful mount it tries to apply ownership and permission if required. Every volume in Kubernetes like configmap, secret, CSI volume implements Mounter and Unmounter interface. Volume ownership and permission are part of the SetUp method of CSI Mounter.
_________________________ Kubernetes Node _________________________________
| _________ kubelet ___________ _________ CSI Node Driver _________ |
| | | | | |
| | - CSI Mounter | | | |
| | - Task a | | | |
| | - Task b | | - NodePublishVolume | |
| | - NodePublishVolume | | (How to mount the volume) | |
| | - SetVolumeOwnership | | | |
| | - Task x | | | |
| | - Task y | | | |
| |_____________________________| |___________________________________| |
|___________________________________________________________________________|
Configuration
Storage admin can set FSGroupPolicy in CSI Driver spec with 3 values.
- ReadWriteOnceWithFSType - Modify the volume ownership and permissions to the defined
fsGroupwhen theaccessModeisRWOandfsTypeis set. - None - Mount the volume without attempting to modify volume ownership or permissions.
- File - Always attempt to apply the defined
fsGroupto modify volume ownership and permissions regardless offsTypeoraccessMode.
Sample CSI Driver
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: local.csi.openebs.io
spec:
attachRequired: false
fsGroupPolicy: File
#fsGroupPolicy: None
#fsGroupPolicy: ReadWriteOnceWithFSType
podInfoOnMount: true
volumeLifecycleModes:
- Persistent
Application developer can set PodFSGroupChangePolicy in Pod spec with 2 values.
- OnRootMismatch - Only perform permission and ownership change if permissions of top-level directory do not match with expected permissions and ownership.
- Always - Always change the permissions and ownership to match
fsGroup.
Sample Pod
apiVersion: v1
kind: Pod
metadata:
name: security-context
spec:
securityContext:
runAsUser: 2000
runAsGroup: 3000
fsGroup: 6000
fsGroupChangePolicy: OnRootMismatch
#fsGroupChangePolicy: Always
volumes:
- name: data
persistentVolumeClaim:
claimName: csi-volume
containers:
- name: security-context
image: busybox
imagePullPolicy: IfNotPresent
command: [ "sh", "-c", "sleep 24h" ]
volumeMounts:
- name: data
mountPath: /data
Test Plans
Test plans are a combination of:
- CSIDriver.Spec.FSGroupPolicy
- File
- None
- ReadWriteOnceWithFSType
- PersistentVolumeClaim.Status.AccessModes
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
LVM CSI driver supports only ReadWriteOnly access mode so updated combination:
- CSIDriver.Spec.FSGroupPolicy
- File
- None
- ReadWriteOnceWithFSType
- PersistentVolumeClaim.Status.AccessModes
- ReadWriteOnce
FSGroupPolicy File and ReadWriteOnceWithFSType are equal for accesstype ReadWriteOnce.
Here are the test cases -
- Deploy CSI Driver with
FSGroupPolicyReadWriteOnceWithFSTypeinitial and updated non-root process should be able to access the volume. - Deploy CSI Driver with
FSGroupPolicyFileinitial and updated non-root process should be able to access the volume. - Deploy CSI Driver with
FSGroupPolicyNoneinitial and updated non-root process should not be able to access the volume. - For all
FSGroupPolicyroot process should be able to access volume. - If
fsGroupis missing from the Pod spec then non-root process should not be able to access the volume.