mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-28 14:07:14 +00:00
Merge pull request #128244 from gnufied/fix-fsgroup-behaviour
Apply fsGroup when accessMode is ReadWriteOncePod
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
71093a09c1
@ -423,7 +423,7 @@ const (
|
|||||||
// ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined
|
// ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined
|
||||||
// to determine if the volume ownership and permissions
|
// to determine if the volume ownership and permissions
|
||||||
// should be modified. If a fstype is defined and the volume's access mode
|
// should be modified. If a fstype is defined and the volume's access mode
|
||||||
// contains ReadWriteOnce, then the defined fsGroup will be applied.
|
// contains ReadWriteOnce or ReadWriteOncePod, then the defined fsGroup will be applied.
|
||||||
// This mode should be defined if it's expected that the
|
// This mode should be defined if it's expected that the
|
||||||
// fsGroup may need to be modified depending on the pod's SecurityPolicy.
|
// fsGroup may need to be modified depending on the pod's SecurityPolicy.
|
||||||
// This is the default behavior if no other FSGroupPolicy is defined.
|
// This is the default behavior if no other FSGroupPolicy is defined.
|
||||||
|
|||||||
@ -860,6 +860,15 @@ func TestMounterSetUpWithFSGroup(t *testing.T) {
|
|||||||
setFsGroup: true,
|
setFsGroup: true,
|
||||||
fsGroup: 3000,
|
fsGroup: 3000,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "fstype, fsgroup, RWOP provided (should apply fsgroup)",
|
||||||
|
accessModes: []corev1.PersistentVolumeAccessMode{
|
||||||
|
corev1.ReadWriteOncePod,
|
||||||
|
},
|
||||||
|
fsType: "ext4",
|
||||||
|
setFsGroup: true,
|
||||||
|
fsGroup: 3000,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "fstype, fsgroup, RWO provided, FSGroupPolicy ReadWriteOnceWithFSType (should apply fsgroup)",
|
name: "fstype, fsgroup, RWO provided, FSGroupPolicy ReadWriteOnceWithFSType (should apply fsgroup)",
|
||||||
accessModes: []corev1.PersistentVolumeAccessMode{
|
accessModes: []corev1.PersistentVolumeAccessMode{
|
||||||
|
|||||||
@ -134,7 +134,8 @@ func hasReadWriteOnce(modes []api.PersistentVolumeAccessMode) bool {
|
|||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
for _, mode := range modes {
|
for _, mode := range modes {
|
||||||
if mode == api.ReadWriteOnce {
|
if mode == api.ReadWriteOnce ||
|
||||||
|
mode == api.ReadWriteOncePod {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -433,7 +433,7 @@ const (
|
|||||||
// ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined
|
// ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined
|
||||||
// to determine if the volume ownership and permissions
|
// to determine if the volume ownership and permissions
|
||||||
// should be modified. If a fstype is defined and the volume's access mode
|
// should be modified. If a fstype is defined and the volume's access mode
|
||||||
// contains ReadWriteOnce, then the defined fsGroup will be applied.
|
// contains ReadWriteOnce or ReadWriteOncePod, then the defined fsGroup will be applied.
|
||||||
// This mode should be defined if it's expected that the
|
// This mode should be defined if it's expected that the
|
||||||
// fsGroup may need to be modified depending on the pod's SecurityPolicy.
|
// fsGroup may need to be modified depending on the pod's SecurityPolicy.
|
||||||
// This is the default behavior if no other FSGroupPolicy is defined.
|
// This is the default behavior if no other FSGroupPolicy is defined.
|
||||||
|
|||||||
@ -113,8 +113,6 @@ func (s *fsGroupChangePolicyTestSuite) DefineTests(driver storageframework.TestD
|
|||||||
l = local{}
|
l = local{}
|
||||||
l.driver = driver
|
l.driver = driver
|
||||||
l.config = driver.PrepareTest(ctx, f)
|
l.config = driver.PrepareTest(ctx, f)
|
||||||
testVolumeSizeRange := s.GetTestSuiteInfo().SupportedSizeRange
|
|
||||||
l.resource = storageframework.CreateVolumeResource(ctx, l.driver, l.config, pattern, testVolumeSizeRange)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
cleanup := func(ctx context.Context) {
|
cleanup := func(ctx context.Context) {
|
||||||
@ -129,6 +127,8 @@ func (s *fsGroupChangePolicyTestSuite) DefineTests(driver storageframework.TestD
|
|||||||
framework.ExpectNoError(errors.NewAggregate(errs), "while cleanup resource")
|
framework.ExpectNoError(errors.NewAggregate(errs), "while cleanup resource")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
rwopAccessMode := v1.ReadWriteOncePod
|
||||||
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string // Test case name
|
name string // Test case name
|
||||||
podfsGroupChangePolicy string // 'Always' or 'OnRootMismatch'
|
podfsGroupChangePolicy string // 'Always' or 'OnRootMismatch'
|
||||||
@ -143,6 +143,7 @@ func (s *fsGroupChangePolicyTestSuite) DefineTests(driver storageframework.TestD
|
|||||||
// * OnRootMismatch policy is not supported.
|
// * OnRootMismatch policy is not supported.
|
||||||
// * It may not be possible to chgrp after mounting a volume.
|
// * It may not be possible to chgrp after mounting a volume.
|
||||||
supportsVolumeMountGroup bool
|
supportsVolumeMountGroup bool
|
||||||
|
volumeAccessMode *v1.PersistentVolumeAccessMode
|
||||||
}{
|
}{
|
||||||
// Test cases for 'Always' policy
|
// Test cases for 'Always' policy
|
||||||
{
|
{
|
||||||
@ -154,6 +155,16 @@ func (s *fsGroupChangePolicyTestSuite) DefineTests(driver storageframework.TestD
|
|||||||
finalExpectedSubDirFileOwnership: 2000,
|
finalExpectedSubDirFileOwnership: 2000,
|
||||||
supportsVolumeMountGroup: true,
|
supportsVolumeMountGroup: true,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "rwop pod created with an initial fsgroup, new pod fsgroup applied to volume contents",
|
||||||
|
podfsGroupChangePolicy: "Always",
|
||||||
|
initialPodFsGroup: 1000,
|
||||||
|
secondPodFsGroup: 2000,
|
||||||
|
finalExpectedRootDirFileOwnership: 2000,
|
||||||
|
finalExpectedSubDirFileOwnership: 2000,
|
||||||
|
supportsVolumeMountGroup: true,
|
||||||
|
volumeAccessMode: &rwopAccessMode,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "pod created with an initial fsgroup, volume contents ownership changed via chgrp in first pod, new pod with same fsgroup applied to the volume contents",
|
name: "pod created with an initial fsgroup, volume contents ownership changed via chgrp in first pod, new pod with same fsgroup applied to the volume contents",
|
||||||
podfsGroupChangePolicy: "Always",
|
podfsGroupChangePolicy: "Always",
|
||||||
@ -218,6 +229,13 @@ func (s *fsGroupChangePolicyTestSuite) DefineTests(driver storageframework.TestD
|
|||||||
}
|
}
|
||||||
|
|
||||||
init(ctx)
|
init(ctx)
|
||||||
|
testVolumeSizeRange := s.GetTestSuiteInfo().SupportedSizeRange
|
||||||
|
if test.volumeAccessMode != nil {
|
||||||
|
accessModes := []v1.PersistentVolumeAccessMode{*test.volumeAccessMode}
|
||||||
|
l.resource = storageframework.CreateVolumeResourceWithAccessModes(ctx, l.driver, l.config, pattern, testVolumeSizeRange, accessModes, nil)
|
||||||
|
} else {
|
||||||
|
l.resource = storageframework.CreateVolumeResource(ctx, l.driver, l.config, pattern, testVolumeSizeRange)
|
||||||
|
}
|
||||||
ginkgo.DeferCleanup(cleanup)
|
ginkgo.DeferCleanup(cleanup)
|
||||||
podConfig := e2epod.Config{
|
podConfig := e2epod.Config{
|
||||||
NS: f.Namespace.Name,
|
NS: f.Namespace.Name,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user