Include CSIDriver SupportsFsGroup

api/openapi-spec/swagger.json

@@ -14879,6 +14879,10 @@
           "description": "attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.",
           "type": "boolean"
         },
+        "fsGroupPolicy": {
+          "description": "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. If set to Supported, FSGroupPolicy indicates that the volumes provisioned by this CSIDriver support volume ownership and permission changes, and the filesystem will be modified to match the defined fsGroup every time the volume is mounted. If set to Unsupported, then the volume will be mounted without modifying the volume's ownership or permissions. Defaults to Heuristic, which results in the volume being examined and the volume ownership and permissions attempting to be updated only when the PodSecurityPolicy's fsGroup is explicitly defined, the fsType is defined, and the PersistentVolumes's accessModes includes RWO. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate.",
+          "type": "string"
+        },
         "podInfoOnMount": {
           "description": "If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" iff the volume is an ephemeral inline volume\n                                defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.",
           "type": "boolean"
@@ -15497,6 +15501,10 @@
           "description": "attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.",
           "type": "boolean"
         },
+        "fsGroupPolicy": {
+          "description": "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. If set to Supported, FSGroupPolicy indicates that the volumes provisioned by this CSIDriver support volume ownership and permission changes, and the filesystem will be modified to match the defined fsGroup every time the volume is mounted. If set to Unsupported, then the volume will be mounted without modifying the volume's ownership or permissions. Defaults to Heuristic, which results in the volume being examined and the volume ownership and permissions attempting to be updated only when the PodSecurityPolicy's fsGroup is explicitly defined, the fsType is defined, and the PersistentVolumes's accessModes includes RWO. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate.",
+          "type": "string"
+        },
         "podInfoOnMount": {
           "description": "If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" iff the volume is an ephemeral inline volume\n                                defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.",
           "type": "boolean"

pkg/apis/storage/types.go

@@ -277,6 +277,14 @@ type CSIDriverSpec struct {
 	// +optional
 	AttachRequired *bool
 
+	// Defines if the underlying volume supports changing ownership and
+	// permission of the volume before being mounted.
+	// Refer to the specific FSGroupPolicy values for additional details.
+	// This field is alpha-level, and is only honored by servers
+	// that enable the CSIVolumeFSGroupPolicy feature gate.
+	// +optional
+	FSGroupPolicy *FSGroupPolicy
+
 	// If set to true, podInfoOnMount indicates this CSI volume driver
 	// requires additional pod information (like podName, podUID, etc.) during
 	// mount operations.
@@ -331,6 +339,37 @@ type CSIDriverSpec struct {
 	StorageCapacity *bool
 }
 
+// FSGroupPolicy specifies if a CSI Driver supports modifying
+// volume ownership and permissions of the volume to be mounted.
+// More modes may be added in the future.
+type FSGroupPolicy string
+
+const (
+	// ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined
+	// to determine if the volume ownership and permissions
+	// should be modified. If a fstype is defined and the volume's access mode
+	// contains ReadWriteOnce, then the defined fsGroup will be applied.
+	// This mode should be defined if it's expected that the
+	// fsGroup may need to be modified depending on the pod's SecurityPolicy.
+	// This is the default behavior if no other FSGroupPolicy is defined.
+	ReadWriteOnceWithFSTypeFSGroupPolicy FSGroupPolicy = "ReadWriteOnceWithFSType"
+
+	// FileFSGroupPolicy indicates that CSI driver supports volume ownership
+	// and permission change via fsGroup, and Kubernetes may use fsGroup
+	// to change permissions and ownership of the volume to match user requested fsGroup in
+	// the pod's SecurityPolicy regardless of fstype or access mode.
+	// This mode should be defined if the fsGroup is expected to always change on mount
+	FileFSGroupPolicy FSGroupPolicy = "File"
+
+	// NoneFSGroupPolicy indicates that volumes will be mounted without performing
+	// any ownership or permission modifications, as the CSIDriver does not support
+	// these operations.
+	// This mode should be selected if the CSIDriver does not support fsGroup modifications,
+	// for example when Kubernetes cannot change ownership and permissions on a volume due
+	// to root-squash settings on a NFS volume.
+	NoneFSGroupPolicy FSGroupPolicy = "None"
+)
+
 // VolumeLifecycleMode specifies how a CSI volume is used in Kubernetes.
 // More modes may be added in the future.
 type VolumeLifecycleMode string

pkg/apis/storage/v1/defaults.go

@@ -53,6 +53,10 @@ func SetDefaults_CSIDriver(obj *storagev1.CSIDriver) {
 		obj.Spec.StorageCapacity = new(bool)
 		*(obj.Spec.StorageCapacity) = false
 	}
+	if obj.Spec.FSGroupPolicy == nil && utilfeature.DefaultFeatureGate.Enabled(features.CSIVolumeFSGroupPolicy) {
+		obj.Spec.FSGroupPolicy = new(storagev1.FSGroupPolicy)
+		*obj.Spec.FSGroupPolicy = storagev1.ReadWriteOnceWithFSTypeFSGroupPolicy
+	}
 	if len(obj.Spec.VolumeLifecycleModes) == 0 && utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) {
 		obj.Spec.VolumeLifecycleModes = append(obj.Spec.VolumeLifecycleModes, storagev1.VolumeLifecyclePersistent)
 	}

pkg/apis/storage/v1beta1/defaults.go

@@ -17,7 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	storagev1beta1 "k8s.io/api/storage/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -53,6 +53,10 @@ func SetDefaults_CSIDriver(obj *storagev1beta1.CSIDriver) {
 		obj.Spec.StorageCapacity = new(bool)
 		*(obj.Spec.StorageCapacity) = false
 	}
+	if obj.Spec.FSGroupPolicy == nil && utilfeature.DefaultFeatureGate.Enabled(features.CSIVolumeFSGroupPolicy) {
+		obj.Spec.FSGroupPolicy = new(storagev1beta1.FSGroupPolicy)
+		*obj.Spec.FSGroupPolicy = storagev1beta1.ReadWriteOnceWithFSTypeFSGroupPolicy
+	}
 	if len(obj.Spec.VolumeLifecycleModes) == 0 && utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) {
 		obj.Spec.VolumeLifecycleModes = append(obj.Spec.VolumeLifecycleModes, storagev1beta1.VolumeLifecyclePersistent)
 	}

pkg/apis/storage/validation/validation.go

@@ -421,6 +421,7 @@ func validateCSIDriverSpec(
 	allErrs = append(allErrs, validateAttachRequired(spec.AttachRequired, fldPath.Child("attachedRequired"))...)
 	allErrs = append(allErrs, validatePodInfoOnMount(spec.PodInfoOnMount, fldPath.Child("podInfoOnMount"))...)
 	allErrs = append(allErrs, validateStorageCapacity(spec.StorageCapacity, fldPath.Child("storageCapacity"))...)
+	allErrs = append(allErrs, validateFSGroupPolicy(spec.FSGroupPolicy, fldPath.Child("fsGroupPolicy"))...)
 	allErrs = append(allErrs, validateVolumeLifecycleModes(spec.VolumeLifecycleModes, fldPath.Child("volumeLifecycleModes"))...)
 	return allErrs
 }
@@ -451,6 +452,21 @@ func validateStorageCapacity(storageCapacity *bool, fldPath *field.Path) field.E
 	if storageCapacity == nil && utilfeature.DefaultFeatureGate.Enabled(features.CSIStorageCapacity) {
 		allErrs = append(allErrs, field.Required(fldPath, ""))
 	}
+}
+
+var supportedFSGroupPolicy = sets.NewString(string(storage.ReadWriteOnceWithFSTypeFSGroupPolicy), string(storage.FileFSGroupPolicy), string(storage.NoneFSGroupPolicy))
+
+// validateFSGroupPolicy tests if FSGroupPolicy contains an appropriate value.
+func validateFSGroupPolicy(fsGroupPolicy *storage.FSGroupPolicy, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if fsGroupPolicy == nil {
+		// This is not a required field, so if nothing is provided simply return
+		return allErrs
+	}
+
+	if !supportedFSGroupPolicy.Has(string(*fsGroupPolicy)) {
+		allErrs = append(allErrs, field.NotSupported(fldPath, fsGroupPolicy, supportedFSGroupPolicy.List()))
+	}
 
 	return allErrs
 }

pkg/apis/storage/validation/validation_test.go

@@ -1665,6 +1665,9 @@ func TestCSIDriverValidation(t *testing.T) {
 	attachNotRequired := false
 	podInfoOnMount := true
 	notPodInfoOnMount := false
+	supportedFSGroupPolicy := storage.FileFSGroupPolicy
+	invalidFSGroupPolicy := storage.ReadWriteOnceWithFSTypeFSGroupPolicy
+	invalidFSGroupPolicy = "invalid-mode"
 	successCases := []storage.CSIDriver{
 		{
 			ObjectMeta: metav1.ObjectMeta{Name: driverName},
@@ -1769,6 +1772,14 @@ func TestCSIDriverValidation(t *testing.T) {
 				},
 			},
 		},
+		{
+			ObjectMeta: metav1.ObjectMeta{Name: driverName},
+			Spec: storage.CSIDriverSpec{
+				AttachRequired: &attachNotRequired,
+				PodInfoOnMount: &notPodInfoOnMount,
+				FSGroupPolicy:  &supportedFSGroupPolicy,
+			},
+		},
 	}
 
 	for _, csiDriver := range successCases {
@@ -1818,6 +1829,15 @@ func TestCSIDriverValidation(t *testing.T) {
 				},
 			},
 		},
+		{
+			// invalid fsGroupPolicy
+			ObjectMeta: metav1.ObjectMeta{Name: driverName},
+			Spec: storage.CSIDriverSpec{
+				AttachRequired: &attachNotRequired,
+				PodInfoOnMount: &notPodInfoOnMount,
+				FSGroupPolicy:  &invalidFSGroupPolicy,
+			},
+		},
 	}
 
 	for _, csiDriver := range errorCases {

pkg/features/kube_features.go

@@ -435,6 +435,12 @@ const (
 	// Expects vSphere CSI Driver to be installed and configured on all nodes.
 	CSIMigrationvSphereComplete featuregate.Feature = "CSIMigrationvSphereComplete"
 
+	// owner: @huffmanca
+	// alpha: v1.19
+	//
+	// Determines if a CSI Driver supports applying fsGroup.
+	CSIVolumeFSGroupPolicy featuregate.Feature = "CSIVolumeFSGroupPolicy"
+
 	// owner: @gnufied
 	// alpha: v1.18
 	// Allows user to configure volume permission change policy for fsGroups when mounting
@@ -685,6 +691,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 	CSIInlineVolume:                {Default: true, PreRelease: featuregate.Beta},
 	CSIStorageCapacity:             {Default: false, PreRelease: featuregate.Alpha},
 	GenericEphemeralVolume:         {Default: false, PreRelease: featuregate.Alpha},
+	CSIVolumeFSGroupPolicy:         {Default: false, PreRelease: featuregate.Alpha},
 	RuntimeClass:                   {Default: true, PreRelease: featuregate.Beta},
 	NodeLease:                      {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 	SCTPSupport:                    {Default: true, PreRelease: featuregate.Beta},

pkg/registry/storage/csidriver/strategy.go

@@ -45,14 +45,16 @@ func (csiDriverStrategy) NamespaceScoped() bool {
 
 // PrepareForCreate clears the fields for which the corresponding feature is disabled.
 func (csiDriverStrategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
+	csiDriver := obj.(*storage.CSIDriver)
 	if !utilfeature.DefaultFeatureGate.Enabled(features.CSIStorageCapacity) {
-		csiDriver := obj.(*storage.CSIDriver)
 		csiDriver.Spec.StorageCapacity = nil
 	}
 	if !utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) {
-		csiDriver := obj.(*storage.CSIDriver)
 		csiDriver.Spec.VolumeLifecycleModes = nil
 	}
+	if !utilfeature.DefaultFeatureGate.Enabled(features.CSIVolumeFSGroupPolicy) {
+		csiDriver.Spec.FSGroupPolicy = nil
+	}
 }
 
 func (csiDriverStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
@@ -86,6 +88,11 @@ func (csiDriverStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.
 		newCSIDriver := obj.(*storage.CSIDriver)
 		newCSIDriver.Spec.VolumeLifecycleModes = nil
 	}
+	if old.(*storage.CSIDriver).Spec.FSGroupPolicy == nil &&
+		!utilfeature.DefaultFeatureGate.Enabled(features.CSIVolumeFSGroupPolicy) {
+		newCSIDriver := obj.(*storage.CSIDriver)
+		newCSIDriver.Spec.FSGroupPolicy = nil
+	}
 }
 
 func (csiDriverStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {

pkg/volume/csi/csi_mounter.go

@@ -66,6 +66,7 @@ type csiMountMgr struct {
 	plugin              *csiPlugin
 	driverName          csiDriverName
 	volumeLifecycleMode storage.VolumeLifecycleMode
+	fsGroupPolicy       storage.FSGroupPolicy
 	volumeID            string
 	specVolumeID        string
 	readOnly            bool
@@ -277,17 +278,30 @@ func (c *csiMountMgr) SetUpAt(dir string, mounterArgs volume.MounterArgs) error
 		klog.V(2).Info(log("error checking for SELinux support: %s", err))
 	}
 
-	// apply volume ownership
+	fsGroupFeatureGateEnabled := utilfeature.DefaultFeatureGate.Enabled(features.CSIVolumeFSGroupPolicy)
-	// The following logic is derived from https://github.com/kubernetes/kubernetes/issues/66323
+	// If the feature gate isn't enabled, then adjust the CSIDriver to use the ReadWriteOnceWithFSTypeFSGroupPolicy
-	// if fstype is "", then skip fsgroup (could be indication of non-block filesystem)
+	// policy. This keeps the default behavior.
-	// if fstype is provided and pv.AccessMode == ReadWriteOnly, then apply fsgroup
+	if !fsGroupFeatureGateEnabled {
-	err = c.applyFSGroup(fsType, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy)
+		c.fsGroupPolicy = storage.ReadWriteOnceWithFSTypeFSGroupPolicy
-	if err != nil {
+	}
-		// At this point mount operation is successful:
+
-		//   1. Since volume can not be used by the pod because of invalid permissions, we must return error
+	// If the the FSGroupPolicy isn't NoneFSGroupPolicy, then we should attempt to modify
-		//   2. Since mount is successful, we must record volume as mounted in uncertain state, so it can be
+	// the fsGroup. At this point the feature gate is enabled, so we should proceed,
-		//      cleaned up.
+	// or it's disabled, at which point we should evaluate the fstype and pv.AccessMode
-		return volumetypes.NewUncertainProgressError(fmt.Sprintf("applyFSGroup failed for vol %s: %v", c.volumeID, err))
+	// and update the fsGroup appropriately.
+	if c.fsGroupPolicy != storage.NoneFSGroupPolicy {
+
+		// The following logic is derived from https://github.com/kubernetes/kubernetes/issues/66323
+		// if fstype is "", then skip fsgroup (could be indication of non-block filesystem)
+		// if fstype is provided and pv.AccessMode == ReadWriteOnly, then apply fsgroup
+		err = c.applyFSGroup(fsType, mounterArgs.FsGroup, mounterArgs.FSGroupChangePolicy)
+		if err != nil {
+			// At this point mount operation is successful:
+			//   1. Since volume can not be used by the pod because of invalid permissions, we must return error
+			//   2. Since mount is successful, we must record volume as mounted in uncertain state, so it can be
+			//      cleaned up.
+			return volumetypes.NewUncertainProgressError(fmt.Sprintf("applyFSGroup failed for vol %s: %v", c.volumeID, err))
+		}
 	}
 
 	klog.V(4).Infof(log("mounter.SetUp successfully requested NodePublish [%s]", dir))
@@ -377,25 +391,30 @@ func (c *csiMountMgr) TearDownAt(dir string) error {
 // 1) if fstype is "", then skip fsgroup (could be indication of non-block filesystem)
 // 2) if fstype is provided and pv.AccessMode == ReadWriteOnly and !c.spec.ReadOnly then apply fsgroup
 func (c *csiMountMgr) applyFSGroup(fsType string, fsGroup *int64, fsGroupChangePolicy *v1.PodFSGroupChangePolicy) error {
-	if fsGroup != nil {
+	if c.fsGroupPolicy == storage.FileFSGroupPolicy || fsGroup != nil {
-		if fsType == "" {
-			klog.V(4).Info(log("mounter.SetupAt WARNING: skipping fsGroup, fsType not provided"))
-			return nil
-		}
 
-		accessModes := c.spec.PersistentVolume.Spec.AccessModes
+		// If the FSGroupPolicy is ReadWriteOnceWithFSTypeFSGroupPolicy perform additional checks
-		if c.spec.PersistentVolume.Spec.AccessModes == nil {
+		// to determine if we should proceed with modifying the fsGroup.
-			klog.V(4).Info(log("mounter.SetupAt WARNING: skipping fsGroup, access modes not provided"))
+		if c.fsGroupPolicy == storage.ReadWriteOnceWithFSTypeFSGroupPolicy {
-			return nil
+			if fsType == "" {
-		}
+				klog.V(4).Info(log("mounter.SetupAt WARNING: skipping fsGroup, fsType not provided"))
-		if !hasReadWriteOnce(accessModes) {
+				return nil
-			klog.V(4).Info(log("mounter.SetupAt WARNING: skipping fsGroup, only support ReadWriteOnce access mode"))
+			}
-			return nil
-		}
 
-		if c.readOnly {
+			accessModes := c.spec.PersistentVolume.Spec.AccessModes
-			klog.V(4).Info(log("mounter.SetupAt WARNING: skipping fsGroup, volume is readOnly"))
+			if c.spec.PersistentVolume.Spec.AccessModes == nil {
-			return nil
+				klog.V(4).Info(log("mounter.SetupAt WARNING: skipping fsGroup, access modes not provided"))
+				return nil
+			}
+			if !hasReadWriteOnce(accessModes) {
+				klog.V(4).Info(log("mounter.SetupAt WARNING: skipping fsGroup, only support ReadWriteOnce access mode"))
+				return nil
+			}
+
+			if c.readOnly {
+				klog.V(4).Info(log("mounter.SetupAt WARNING: skipping fsGroup, volume is readOnly"))
+				return nil
+			}
 		}
 
 		err := volume.SetVolumeOwnership(c, fsGroup, fsGroupChangePolicy)
@@ -403,7 +422,9 @@ func (c *csiMountMgr) applyFSGroup(fsType string, fsGroup *int64, fsGroupChangeP
 			return err
 		}
 
-		klog.V(4).Info(log("mounter.SetupAt fsGroup [%d] applied successfully to %s", *fsGroup, c.volumeID))
+		if fsGroup != nil {
+			klog.V(4).Info(log("mounter.SetupAt fsGroup [%d] applied successfully to %s", *fsGroup, c.volumeID))
+		}
 	}
 
 	return nil

pkg/volume/csi/csi_mounter_test.go

@@ -640,12 +640,14 @@ func TestMounterSetUpWithFSGroup(t *testing.T) {
 	defer os.RemoveAll(tmpDir)
 
 	testCases := []struct {
-		name        string
+		name                string
-		accessModes []api.PersistentVolumeAccessMode
+		accessModes         []api.PersistentVolumeAccessMode
-		readOnly    bool
+		readOnly            bool
-		fsType      string
+		fsType              string
-		setFsGroup  bool
+		setFsGroup          bool
-		fsGroup     int64
+		fsGroup             int64
+		driverFSGroupPolicy bool
+		supportMode         storage.FSGroupPolicy
 	}{
 		{
 			name: "default fstype, with no fsgroup (should not apply fsgroup)",
@@ -694,11 +696,93 @@ func TestMounterSetUpWithFSGroup(t *testing.T) {
 			setFsGroup: true,
 			fsGroup:    3000,
 		},
+		{
+			name: "fstype, fsgroup, RWO provided, FSGroupPolicy ReadWriteOnceWithFSType (should apply fsgroup)",
+			accessModes: []api.PersistentVolumeAccessMode{
+				api.ReadWriteOnce,
+			},
+			fsType:              "ext4",
+			setFsGroup:          true,
+			fsGroup:             3000,
+			driverFSGroupPolicy: true,
+			supportMode:         storage.ReadWriteOnceWithFSTypeFSGroupPolicy,
+		},
+		{
+			name: "default fstype with no fsgroup, FSGroupPolicy ReadWriteOnceWithFSType (should not apply fsgroup)",
+			accessModes: []api.PersistentVolumeAccessMode{
+				api.ReadWriteOnce,
+			},
+			readOnly:            false,
+			fsType:              "",
+			driverFSGroupPolicy: true,
+			supportMode:         storage.ReadWriteOnceWithFSTypeFSGroupPolicy,
+		},
+		{
+			name: "default fstype with fsgroup, FSGroupPolicy ReadWriteOnceWithFSType (should not apply fsgroup)",
+			accessModes: []api.PersistentVolumeAccessMode{
+				api.ReadWriteOnce,
+			},
+			readOnly:            false,
+			fsType:              "",
+			setFsGroup:          true,
+			fsGroup:             3000,
+			driverFSGroupPolicy: true,
+			supportMode:         storage.ReadWriteOnceWithFSTypeFSGroupPolicy,
+		},
+		{
+			name: "fstype, fsgroup, RWO provided, readonly, FSGroupPolicy ReadWriteOnceWithFSType (should not apply fsgroup)",
+			accessModes: []api.PersistentVolumeAccessMode{
+				api.ReadWriteOnce,
+			},
+			readOnly:            true,
+			fsType:              "ext4",
+			setFsGroup:          true,
+			fsGroup:             3000,
+			driverFSGroupPolicy: true,
+			supportMode:         storage.ReadWriteOnceWithFSTypeFSGroupPolicy,
+		},
+		{
+			name: "fstype, fsgroup, RWX provided, FSGroupPolicy ReadWriteOnceWithFSType (should not apply fsgroup)",
+			accessModes: []api.PersistentVolumeAccessMode{
+				api.ReadWriteMany,
+			},
+			readOnly:            false,
+			fsType:              "ext4",
+			setFsGroup:          true,
+			fsGroup:             3000,
+			driverFSGroupPolicy: true,
+			supportMode:         storage.ReadWriteOnceWithFSTypeFSGroupPolicy,
+		},
+		{
+			name: "fstype, fsgroup, RWO provided, FSGroupPolicy None (should not apply fsgroup)",
+			accessModes: []api.PersistentVolumeAccessMode{
+				api.ReadWriteOnce,
+			},
+			fsType:              "ext4",
+			setFsGroup:          true,
+			fsGroup:             3000,
+			driverFSGroupPolicy: true,
+			supportMode:         storage.NoneFSGroupPolicy,
+		},
+		{
+			name: "fstype, fsgroup, RWO provided, readOnly, FSGroupPolicy File (should apply fsgroup)",
+			accessModes: []api.PersistentVolumeAccessMode{
+				api.ReadWriteOnce,
+			},
+			readOnly:            true,
+			fsType:              "ext4",
+			setFsGroup:          true,
+			fsGroup:             3000,
+			driverFSGroupPolicy: true,
+			supportMode:         storage.FileFSGroupPolicy,
+		},
 	}
 
 	for i, tc := range testCases {
 		t.Logf("Running test %s", tc.name)
 
+		defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIVolumeFSGroupPolicy, tc.driverFSGroupPolicy)()
+
 		volName := fmt.Sprintf("test-vol-%d", i)
 		registerFakePlugin(testDriver, "endpoint", []string{"1.0.0"}, t)
 		pv := makeTestPV("test-pv", 10, testDriver, volName)
@@ -725,6 +809,9 @@ func TestMounterSetUpWithFSGroup(t *testing.T) {
 		}
 
 		csiMounter := mounter.(*csiMountMgr)
+		if tc.driverFSGroupPolicy {
+			csiMounter.fsGroupPolicy = tc.supportMode
+		}
 		csiMounter.csiClient = setupClient(t, true)
 
 		attachID := getAttachmentName(csiMounter.volumeID, string(csiMounter.driverName), string(plug.host.GetNodeName()))

pkg/volume/csi/csi_plugin.go

@@ -380,6 +380,11 @@ func (p *csiPlugin) NewMounter(
 		return nil, err
 	}
 
+	fsGroupPolicy, err := p.getFSGroupPolicy(driverName)
+	if err != nil {
+		return nil, err
+	}
+
 	k8s := p.host.GetKubeClient()
 	if k8s == nil {
 		return nil, errors.New(log("failed to get a kubernetes client"))
@@ -398,6 +403,7 @@ func (p *csiPlugin) NewMounter(
 		podUID:              pod.UID,
 		driverName:          csiDriverName(driverName),
 		volumeLifecycleMode: volumeLifecycleMode,
+		fsGroupPolicy:       fsGroupPolicy,
 		volumeID:            volumeHandle,
 		specVolumeID:        spec.Name(),
 		readOnly:            readOnly,
@@ -846,6 +852,46 @@ func (p *csiPlugin) getVolumeLifecycleMode(spec *volume.Spec) (storage.VolumeLif
 	return storage.VolumeLifecyclePersistent, nil
 }
 
+// getFSGroupPolicy returns if the CSI driver supports a volume in the given mode.
+// An error indicates that it isn't supported and explains why.
+func (p *csiPlugin) getFSGroupPolicy(driver string) (storage.FSGroupPolicy, error) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.CSIVolumeFSGroupPolicy) {
+		// feature is disabled, default to ReadWriteOnceWithFSTypeFSGroupPolicy
+		return storage.ReadWriteOnceWithFSTypeFSGroupPolicy, nil
+	}
+
+	// Retrieve CSIDriver. It's not an error if that isn't
+	// possible (we don't have the lister if CSIDriverRegistry is
+	// disabled) or the driver isn't found (CSIDriver is
+	// optional)
+	var csiDriver *storage.CSIDriver
+	if p.csiDriverLister != nil {
+		kletHost, ok := p.host.(volume.KubeletVolumeHost)
+		if ok {
+			if err := kletHost.WaitForCacheSync(); err != nil {
+				return storage.ReadWriteOnceWithFSTypeFSGroupPolicy, err
+			}
+		}
+
+		c, err := p.csiDriverLister.Get(driver)
+		if err != nil && !apierrors.IsNotFound(err) {
+			// Some internal error.
+			return storage.ReadWriteOnceWithFSTypeFSGroupPolicy, err
+		}
+		csiDriver = c
+	}
+
+	// If the csiDriver isn't defined, return the default behavior
+	if csiDriver == nil {
+		return storage.ReadWriteOnceWithFSTypeFSGroupPolicy, nil
+	}
+	// If the csiDriver exists but the fsGroupPolicy isn't defined, return an error
+	if csiDriver.Spec.FSGroupPolicy == nil || *csiDriver.Spec.FSGroupPolicy == "" {
+		return storage.ReadWriteOnceWithFSTypeFSGroupPolicy, errors.New(log("expected valid fsGroupPolicy, received nil value or empty string"))
+	}
+	return *csiDriver.Spec.FSGroupPolicy, nil
+}
+
 func (p *csiPlugin) getPublishContext(client clientset.Interface, handle, driver, nodeName string) (map[string]string, error) {
 	skip, err := p.skipAttach(driver)
 	if err != nil {

staging/src/k8s.io/api/storage/v1/types.go

@@ -336,8 +336,47 @@ type CSIDriverSpec struct {
 	//
 	// +optional
 	StorageCapacity *bool `json:"storageCapacity,omitempty" protobuf:"bytes,4,opt,name=storageCapacity"`
+
+	// Defines if the underlying volume supports changing ownership and
+	// permission of the volume before being mounted.
+	// Refer to the specific FSGroupPolicy values for additional details.
+	// This field is alpha-level, and is only honored by servers
+	// that enable the CSIVolumeFSGroupPolicy feature gate.
+	// +optional
+	FSGroupPolicy *FSGroupPolicy `json:"fsGroupPolicy,omitempty" protobuf:"bytes,5,opt,name=fsGroupPolicy"`
 }
 
+// FSGroupPolicy specifies if a CSI Driver supports modifying
+// volume ownership and permissions of the volume to be mounted.
+// More modes may be added in the future.
+type FSGroupPolicy string
+
+const (
+	// ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined
+	// to determine if the volume ownership and permissions
+	// should be modified. If a fstype is defined and the volume's access mode
+	// contains ReadWriteOnce, then the defined fsGroup will be applied.
+	// This mode should be defined if it's expected that the
+	// fsGroup may need to be modified depending on the pod's SecurityPolicy.
+	// This is the default behavior if no other FSGroupPolicy is defined.
+	ReadWriteOnceWithFSTypeFSGroupPolicy FSGroupPolicy = "ReadWriteOnceWithFSType"
+
+	// FileFSGroupPolicy indicates that CSI driver supports volume ownership
+	// and permission change via fsGroup, and Kubernetes may use fsGroup
+	// to change permissions and ownership of the volume to match user requested fsGroup in
+	// the pod's SecurityPolicy regardless of fstype or access mode.
+	// This mode should be defined if the fsGroup is expected to always change on mount
+	FileFSGroupPolicy FSGroupPolicy = "File"
+
+	// NoneFSGroupPolicy indicates that volumes will be mounted without performing
+	// any ownership or permission modifications, as the CSIDriver does not support
+	// these operations.
+	// This mode should be selected if the CSIDriver does not support fsGroup modifications,
+	// for example when Kubernetes cannot change ownership and permissions on a volume due
+	// to root-squash settings on a NFS volume.
+	NoneFSGroupPolicy FSGroupPolicy = "None"
+)
+
 // VolumeLifecycleMode is an enumeration of possible usage modes for a volume
 // provided by a CSI driver. More modes may be added in the future.
 type VolumeLifecycleMode string

staging/src/k8s.io/api/storage/v1beta1/types.go

@@ -356,8 +356,41 @@ type CSIDriverSpec struct {
 	//
 	// +optional
 	StorageCapacity *bool `json:"storageCapacity,omitempty" protobuf:"bytes,4,opt,name=storageCapacity"`
+
+	// Defines if the underlying volume supports changing ownership and
+	// permission of the volume before being mounted.
+	// Refer to the specific FSGroupPolicy values for additional details.
+	// This field is alpha-level, and is only honored by servers
+	// that enable the CSIVolumeFSGroupPolicy feature gate.
+	// +optional
+	FSGroupPolicy *FSGroupPolicy `json:"fsGroupPolicy,omitempty" protobuf:"bytes,5,opt,name=fsGroupPolicy"`
 }
 
+// FSGroupPolicy specifies if a CSI Driver supports modifying
+// volume ownership and permissions of the volume to be mounted.
+// More modes may be added in the future.
+type FSGroupPolicy string
+
+const (
+	// ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined
+	// to determine if the volume ownership and permissions
+	// should be modified. If a fstype is defined and the volume's access mode
+	// contains ReadWriteOnce, then the defined fsGroup will be applied.
+	// This is the default behavior if no other FSGroupPolicy is defined.
+	ReadWriteOnceWithFSTypeFSGroupPolicy FSGroupPolicy = "ReadWriteOnceWithFSType"
+
+	// FileFSGroupPolicy indicates that CSI driver supports volume ownership
+	// and permission change via fsGroup, and Kubernetes may use fsGroup
+	// to change permissions and ownership of the volume to match user requested fsGroup in
+	// the pod's SecurityPolicy regardless of fstype or access mode.
+	FileFSGroupPolicy FSGroupPolicy = "File"
+
+	// None indicates that volumes will be mounted without performing
+	// any ownership or permission modifications, as the CSIDriver does not support
+	// these operations.
+	NoneFSGroupPolicy FSGroupPolicy = "None"
+)
+
 // VolumeLifecycleMode is an enumeration of possible usage modes for a volume
 // provided by a CSI driver. More modes may be added in the future.
 type VolumeLifecycleMode string