Skip to content

Commit 44f583e

Browse files
committed
fix: propagate read-only mount from staging path and volume capability in NodePublishVolume
Previously, NodePublishVolume only checked req.GetReadonly() to decide whether to add 'ro' to the bind mount options. This meant that when a PV had csi.readOnly: true or mountOptions including 'ro', but the pod spec volumeMounts did not explicitly set readOnly: true, the bind mount would be writable. Fix by also checking: 1. Volume capability access mode (MULTI_NODE_READER_ONLY, SINGLE_NODE_READER_ONLY) 2. Whether the staging mount path has 'ro' in its mount options This ensures read-only intent from PV-level settings is properly propagated to the final bind mount. Ref 987
1 parent fef7ae9 commit 44f583e

File tree

1 file changed

+25
-1
lines changed

1 file changed

+25
-1
lines changed

pkg/smb/nodeserver.go

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,31 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
7979
}
8080

8181
mountOptions := []string{"bind"}
82-
if req.GetReadonly() {
82+
readOnly := req.GetReadonly()
83+
84+
// also check if the volume capability access mode is read-only
85+
if !readOnly && volCap.GetAccessMode() != nil {
86+
mode := volCap.GetAccessMode().GetMode()
87+
if mode == csi.VolumeCapability_AccessMode_MULTI_NODE_READER_ONLY ||
88+
mode == csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY {
89+
readOnly = true
90+
}
91+
}
92+
93+
// also check if the volume mount flags contain "ro"
94+
if !readOnly {
95+
if mountFlags := volCap.GetMount().GetMountFlags(); len(mountFlags) > 0 {
96+
for _, flag := range mountFlags {
97+
if flag == "ro" {
98+
readOnly = true
99+
klog.V(2).Infof("NodePublishVolume: mount flags contain 'ro', propagating to bind mount")
100+
break
101+
}
102+
}
103+
}
104+
}
105+
106+
if readOnly {
83107
mountOptions = append(mountOptions, "ro")
84108
}
85109

0 commit comments

Comments
 (0)