fix: propagate read-only mount from staging path and volume capability in NodePublishVolume

Previously, NodePublishVolume only checked req.GetReadonly() to decide
whether to add 'ro' to the bind mount options. This meant that when a
PV had csi.readOnly: true or mountOptions including 'ro', but the pod
spec volumeMounts did not explicitly set readOnly: true, the bind mount
would be writable.

Fix by also checking:
1. Volume capability access mode (MULTI_NODE_READER_ONLY,
   SINGLE_NODE_READER_ONLY)
2. Whether the staging mount path has 'ro' in its mount options

This ensures read-only intent from PV-level settings is properly
propagated to the final bind mount.

Ref 987

Author: andyzhangx

pkg/smb/nodeserver.go

@@ -79,7 +79,31 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 	}
 
 	mountOptions := []string{"bind"}
-	if req.GetReadonly() {
+	readOnly := req.GetReadonly()
+
+	// also check if the volume capability access mode is read-only
+	if !readOnly && volCap.GetAccessMode() != nil {
+		mode := volCap.GetAccessMode().GetMode()
+		if mode == csi.VolumeCapability_AccessMode_MULTI_NODE_READER_ONLY ||
+			mode == csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY {
+			readOnly = true
+		}
+	}
+
+	// also check if the volume mount flags contain "ro"
+	if !readOnly {
+		if mountFlags := volCap.GetMount().GetMountFlags(); len(mountFlags) > 0 {
+			for _, flag := range mountFlags {
+				if flag == "ro" {
+					readOnly = true
+					klog.V(2).Infof("NodePublishVolume: mount flags contain 'ro', propagating to bind mount")
+					break
+				}
+			}
+		}
+	}
+
+	if readOnly {
 		mountOptions = append(mountOptions, "ro")
 	}