GoogleCloudPlatform
diff --git a/‎go.mod‎
Lines changed: 1 addition & 0 deletions b/‎go.mod‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/cloud_provider/clientset/clientset.go‎
Lines changed: 6 additions & 0 deletions b/‎pkg/cloud_provider/clientset/clientset.go‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎pkg/csi_driver/node.go‎
Lines changed: 15 additions & 3 deletions b/‎pkg/csi_driver/node.go‎
Lines changed: 15 additions & 3 deletions
diff --git a/‎pkg/csi_driver/utils.go‎
Lines changed: 24 additions & 0 deletions b/‎pkg/csi_driver/utils.go‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎pkg/csi_driver/utils_test.go‎
Lines changed: 41 additions & 0 deletions b/‎pkg/csi_driver/utils_test.go‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎test/e2e/specs/specs.go‎
Lines changed: 1 addition & 1 deletion b/‎test/e2e/specs/specs.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎test/e2e/testsuites/volumes.go‎
Lines changed: 14 additions & 4 deletions b/‎test/e2e/testsuites/volumes.go‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎vendor/golang.org/x/mod/LICENSE‎
Lines changed: 27 additions & 0 deletions b/‎vendor/golang.org/x/mod/LICENSE‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎vendor/golang.org/x/mod/PATENTS‎
Lines changed: 22 additions & 0 deletions b/‎vendor/golang.org/x/mod/PATENTS‎
Lines changed: 22 additions & 0 deletions
@@ -17,6 +17,7 @@ require (
 	github.com/prometheus/client_golang v1.18.0
 	github.com/prometheus/client_model v0.6.0
 	github.com/prometheus/common v0.46.0
+	golang.org/x/mod v0.19.0
 	golang.org/x/net v0.37.0
 	golang.org/x/oauth2 v0.22.0
 	golang.org/x/time v0.6.0
 
@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/googlecloudplatform/gcs-fuse-csi-driver/pkg/webhook"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -105,6 +106,11 @@ func (c *Clientset) ConfigurePodLister(nodeName string) {
 
 		var newInitContainers []corev1.Container
 		for _, cont := range podObj.Spec.InitContainers {
+			if cont.Name == webhook.GcsFuseSidecarName {
+				newInitContainers = append(newInitContainers, cont)
+
+				continue
+			}
 			container := corev1.Container{
 				Name:            cont.Name,
 				SecurityContext: cont.SecurityContext,
 
@@ -295,13 +295,25 @@ func (s *nodeServer) prepareStorageService(ctx context.Context, vc map[string]st
 }
 
 func (s *nodeServer) shouldStartTokenServer(pod *corev1.Pod) bool {
+	tokenVolumeInjected := false
 	for _, vol := range pod.Spec.Volumes {
 		if vol.Name == webhook.SidecarContainerSATokenVolumeName {
-			klog.Infof("Service Account Token Injection feature is turned on.")
+			klog.Infof("Service Account Token Injection feature is turned on from webhook.")
 
-			return true
+			tokenVolumeInjected = true
+
+			break
+		}
+	}
+	var sidecarVersionSupported bool
+
+	for _, container := range pod.Spec.InitContainers {
+		if container.Name == webhook.GcsFuseSidecarName {
+			sidecarVersionSupported = isSidecarVersionSupportedForTokenServer(container.Image)
+
+			break
 		}
 	}
 
-	return false
+	return tokenVolumeInjected && sidecarVersionSupported
 }
@@ -22,13 +22,15 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 
 	csi "github.com/container-storage-interface/spec/lib/go/csi"
 	"github.com/googlecloudplatform/gcs-fuse-csi-driver/pkg/util"
 	"github.com/googlecloudplatform/gcs-fuse-csi-driver/pkg/webhook"
 	pbSanitizer "github.com/kubernetes-csi/csi-lib-utils/protosanitizer"
+	"golang.org/x/mod/semver"
 	"golang.org/x/net/context"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@@ -63,6 +65,7 @@ const (
 	VolumeContextKeyPodNamespace        = "csi.storage.k8s.io/pod.namespace"
 	VolumeContextKeyEphemeral           = "csi.storage.k8s.io/ephemeral"
 	VolumeContextKeyBucketName          = "bucketName"
+	tokenServerSidecarMinVersion        = "v1.12.2-gke.0" // #nosec G101
 )
 
 func NewVolumeCapabilityAccessMode(mode csi.VolumeCapability_AccessMode_Mode) *csi.VolumeCapability_AccessMode {
@@ -460,3 +463,24 @@ func getSidecarContainerStatus(isInitContainer bool, pod *corev1.Pod) (*corev1.C
 
 	return nil, errors.New("the sidecar container was not found")
 }
+
+func isSidecarVersionSupportedForTokenServer(imageName string) bool {
+	managedSidecarPattern := `.*/gke-release(-staging)?/gcs-fuse-csi-driver-sidecar-mounter:v\d+.\d+.\d+-gke\.\d+.*`
+	re := regexp.MustCompile(managedSidecarPattern)
+	isManagedSidecar := re.MatchString(imageName)
+
+	if !isManagedSidecar {
+		klog.Infof("mountOptions should not be passed because this is a private sidecar image %q", imageName)
+
+		return false
+	}
+	imageVersion := strings.Split(strings.Split(imageName, ":")[1], "@")[0]
+	klog.Infof("sidecar image version: %v", imageVersion)
+	if semver.Compare(imageVersion, tokenServerSidecarMinVersion) >= 0 {
+		klog.Infof("sidecar version is supported for token server")
+
+		return true
+	}
+
+	return false
+}
@@ -65,6 +65,47 @@ func TestJoinMountOptions(t *testing.T) {
 	})
 }
 
+func TestIsSidecarVersionSupportedForTokenServer(t *testing.T) {
+	t.Parallel()
+	t.Run("checking if sidecar version is supported for token server", func(t *testing.T) {
+		t.Parallel()
+		testCases := []struct {
+			name              string
+			imageName         string
+			expectedSupported bool
+		}{
+			{
+				name:              "should return true for supported sidecar version",
+				imageName:         "us-central1-artifactregistry.gcr.io/gke-release/gke-release/gcs-fuse-csi-driver-sidecar-mounter:v1.12.3-gke.2@sha256:abcd",
+				expectedSupported: true,
+			},
+			{
+				name:              "should return true for supported sidecar version in staging gcr",
+				imageName:         "gcr.io/gke-release-staging/gcs-fuse-csi-driver-sidecar-mounter:v1.12.2-gke.0@sha256:abcd",
+				expectedSupported: true,
+			},
+			{
+				name:              "should return false for unsupported sidecar version",
+				imageName:         "us-central1-artifactregistry.gcr.io/gke-release/gke-release/gcs-fuse-csi-driver-sidecar-mounter:v1.8.7-gke.1@sha256:abcd",
+				expectedSupported: false,
+			},
+			{
+				name:              "should return false for private sidecar",
+				imageName:         "customer.gcr.io/dir/gcs-fuse-csi-driver-sidecar-mounter:v1.12.2-gke.0@sha256:abcd",
+				expectedSupported: false,
+			},
+		}
+
+		for _, tc := range testCases {
+			t.Logf("test case: %s", tc.name)
+			actual := isSidecarVersionSupportedForTokenServer(tc.imageName)
+			if actual != tc.expectedSupported {
+				t.Errorf("Got supported %v, but expected %v", actual, tc.expectedSupported)
+			}
+		}
+	})
+}
+
 func TestParseVolumeAttributes(t *testing.T) {
 	t.Parallel()
 	t.Run("parsing volume attributes into mount options", func(t *testing.T) {
 
@@ -90,7 +90,7 @@ const (
 	GolangImage         = "golang:1.22.7"
 	UbuntuImage         = "ubuntu:20.04"
 
-	LastPublishedSidecarContainerImage = "gcr.io/gke-release/gcs-fuse-csi-driver-sidecar-mounter@sha256:380bd2a716b936d9469d09e3a83baf22dddca1586a04a0060d7006ea78930cac"
+	LastPublishedSidecarContainerImage = "gcr.io/gke-release/gcs-fuse-csi-driver-sidecar-mounter:v1.7.1-gke.3@sha256:380bd2a716b936d9469d09e3a83baf22dddca1586a04a0060d7006ea78930cac"
 
 	pollInterval     = 1 * time.Second
 	pollTimeout      = 1 * time.Minute
 
@@ -321,6 +321,11 @@ func (t *gcsFuseCSIVolumesTestSuite) DefineTests(driver storageframework.TestDri
 		tPod.SetCustomSidecarContainerImage()
 		tPod.SetupVolume(l.volumeResource, volumeName, mountPath, false)
 
+		if configPrefix == specs.EnableHostNetworkPrefix {
+			ginkgo.By("Turn on hostnetwork setting")
+			tPod.EnableHostNetwork()
+		}
+
 		ginkgo.By("Deploying the pod")
 		tPod.Create(ctx)
 		defer tPod.Cleanup(ctx)
@@ -330,15 +335,20 @@ func (t *gcsFuseCSIVolumesTestSuite) DefineTests(driver storageframework.TestDri
 
 		ginkgo.By("Checking that the sidecar container is using the custom image")
 		tPod.VerifyCustomSidecarContainerImage(supportsNativeSidecar, hasMetadataPrefetch)
-
-		ginkgo.By("Checking that the pod command exits with no error")
-		tPod.VerifyExecInPodSucceed(f, specs.TesterContainerName, fmt.Sprintf("mount | grep %v | grep rw,", mountPath))
-		tPod.VerifyExecInPodSucceed(f, specs.TesterContainerName, fmt.Sprintf("echo 'hello world' > %v/data && grep 'hello world' %v/data", mountPath, mountPath))
+		// Do not check pod exec for hostnetwork, as we do not expect it to work until we support this feature for private sidecars.
+		if configPrefix != specs.EnableHostNetworkPrefix {
+			ginkgo.By("Checking that the pod command exits with no error")
+			tPod.VerifyExecInPodSucceed(f, specs.TesterContainerName, fmt.Sprintf("mount | grep %v | grep rw,", mountPath))
+			tPod.VerifyExecInPodSucceed(f, specs.TesterContainerName, fmt.Sprintf("echo 'hello world' > %v/data && grep 'hello world' %v/data", mountPath, mountPath))
+		}
 	}
 
 	ginkgo.It("should store data using custom sidecar container image", func() {
 		testCaseStoreDataCustomContainerImage("")
 	})
+	ginkgo.It("should gcsfuse process succeed without missing flag error for hostnetwork pods using custom sidecar container image", func() {
+		testCaseStoreDataCustomContainerImage(specs.EnableHostNetworkPrefix)
+	})
 	ginkgo.It("[csi-skip-bucket-access-check] should store data using custom sidecar container image", func() {
 		testCaseStoreDataCustomContainerImage(specs.SkipCSIBucketAccessCheckPrefix)
 	})