restrict sidecar bucket access check for only workload identity

Sneha-at · Sneha-at · commit 9e0ddcb4a6d9 · 2025-10-17T22:41:57.000Z
diff --git a/pkg/csi_driver/node.go b/pkg/csi_driver/node.go
@@ -148,6 +148,9 @@ func (s *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublish
 		}
 		klog.V(6).Infof("NodePublishVolume populating identity provider %q in mount options", identityProvider)
 		fuseMountOptions = joinMountOptions(fuseMountOptions, []string{util.OptInHnw + "=true", util.TokenServerIdentityProviderConst + "=" + identityProvider})
+	} else if enableSidecarBucketAccessCheckForSidecarVersion {
+		//Enable sidecar bucket access check only for Workload Identity workloads. This feature consumes additional quota for Host Network pods as we do not have token caching.
+		fuseMountOptions = joinMountOptions(fuseMountOptions, []string{util.EnableSidecarBucketAccessCheckConst + "=" + strconv.FormatBool(s.driver.config.EnableSidecarBucketAccessCheck)})
 	}
 
 	if enableSidecarBucketAccessCheckForSidecarVersion {
@@ -161,7 +164,6 @@ func (s *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublish
 		fuseMountOptions = joinMountOptions(fuseMountOptions, []string{
 			util.PodNamespaceConst + "=" + vc[VolumeContextKeyPodNamespace],
 			util.ServiceAccountNameConst + "=" + vc[VolumeContextKeyServiceAccountName],
-			util.EnableSidecarBucketAccessCheckConst + "=" + strconv.FormatBool(s.driver.config.EnableSidecarBucketAccessCheck),
 			util.TokenServerIdentityPoolConst + "=" + identityPool})
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -148,6 +148,9 @@ func (s nodeServer) NodePublishVolume(ctx context.Context, req csi.NodePublish`
`148`	`148`	`}`
`149`	`149`	`klog.V(6).Infof("NodePublishVolume populating identity provider %q in mount options", identityProvider)`
`150`	`150`	`fuseMountOptions = joinMountOptions(fuseMountOptions, []string{util.OptInHnw + "=true", util.TokenServerIdentityProviderConst + "=" + identityProvider})`
	`151`	`+ } else if enableSidecarBucketAccessCheckForSidecarVersion {`
	`152`	`+ //Enable sidecar bucket access check only for Workload Identity workloads. This feature consumes additional quota for Host Network pods as we do not have token caching.`
	`153`	`+ fuseMountOptions = joinMountOptions(fuseMountOptions, []string{util.EnableSidecarBucketAccessCheckConst + "=" + strconv.FormatBool(s.driver.config.EnableSidecarBucketAccessCheck)})`
`151`	`154`	`}`
`152`	`155`
`153`	`156`	`if enableSidecarBucketAccessCheckForSidecarVersion {`
`@@ -161,7 +164,6 @@ func (s nodeServer) NodePublishVolume(ctx context.Context, req csi.NodePublish`
`161`	`164`	`fuseMountOptions = joinMountOptions(fuseMountOptions, []string{`
`162`	`165`	`util.PodNamespaceConst + "=" + vc[VolumeContextKeyPodNamespace],`
`163`	`166`	`util.ServiceAccountNameConst + "=" + vc[VolumeContextKeyServiceAccountName],`
`164`		`- util.EnableSidecarBucketAccessCheckConst + "=" + strconv.FormatBool(s.driver.config.EnableSidecarBucketAccessCheck),`
`165`	`167`	`util.TokenServerIdentityPoolConst + "=" + identityPool})`
`166`	`168`	`}`
`167`	`169`