Skip to content

Commit 9756db9

Browse files
authored
Merge pull request #1067 from andyzhangx/fix-readonly-publish
fix: propagate read-only mount from staging path and volume capability in NodePublishVolume
2 parents fef7ae9 + daab8f2 commit 9756db9

File tree

2 files changed

+84
-1
lines changed

2 files changed

+84
-1
lines changed

pkg/smb/nodeserver.go

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,31 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
7979
}
8080

8181
mountOptions := []string{"bind"}
82-
if req.GetReadonly() {
82+
readOnly := req.GetReadonly()
83+
84+
// also check if the volume capability access mode is read-only
85+
if !readOnly && volCap.GetAccessMode() != nil {
86+
mode := volCap.GetAccessMode().GetMode()
87+
if mode == csi.VolumeCapability_AccessMode_MULTI_NODE_READER_ONLY ||
88+
mode == csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY {
89+
readOnly = true
90+
}
91+
}
92+
93+
// also check if the volume mount flags contain "ro"
94+
if !readOnly {
95+
if m := volCap.GetMount(); m != nil {
96+
for _, flag := range m.GetMountFlags() {
97+
if flag == "ro" {
98+
readOnly = true
99+
klog.V(2).Infof("NodePublishVolume: mount flags contain 'ro', propagating to bind mount for volume %s on target %s", volumeID, target)
100+
break
101+
}
102+
}
103+
}
104+
}
105+
106+
if readOnly {
83107
mountOptions = append(mountOptions, "ro")
84108
}
85109

pkg/smb/nodeserver_test.go

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -476,6 +476,65 @@ func TestNodePublishVolume(t *testing.T) {
476476
DefaultError: status.Error(codes.Internal, "Error getting username and password from secret in namespace podnamespace: could not username and password from secret(): KubeClient is nil"),
477477
},
478478
},
479+
{
480+
desc: "[Success] Read-only from MULTI_NODE_READER_ONLY access mode",
481+
req: &csi.NodePublishVolumeRequest{
482+
VolumeCapability: &csi.VolumeCapability{
483+
AccessMode: &csi.VolumeCapability_AccessMode{Mode: csi.VolumeCapability_AccessMode_MULTI_NODE_READER_ONLY},
484+
AccessType: &csi.VolumeCapability_Mount{
485+
Mount: &csi.VolumeCapability_MountVolume{},
486+
},
487+
},
488+
VolumeId: "vol_1",
489+
TargetPath: targetTest,
490+
StagingTargetPath: sourceTest,
491+
Readonly: false},
492+
expectedErr: testutil.TestError{},
493+
},
494+
{
495+
desc: "[Success] Read-only from SINGLE_NODE_READER_ONLY access mode",
496+
req: &csi.NodePublishVolumeRequest{
497+
VolumeCapability: &csi.VolumeCapability{
498+
AccessMode: &csi.VolumeCapability_AccessMode{Mode: csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY},
499+
AccessType: &csi.VolumeCapability_Mount{
500+
Mount: &csi.VolumeCapability_MountVolume{},
501+
},
502+
},
503+
VolumeId: "vol_1",
504+
TargetPath: targetTest,
505+
StagingTargetPath: sourceTest,
506+
Readonly: false},
507+
expectedErr: testutil.TestError{},
508+
},
509+
{
510+
desc: "[Success] Read-only from mount flags containing 'ro'",
511+
req: &csi.NodePublishVolumeRequest{
512+
VolumeCapability: &csi.VolumeCapability{
513+
AccessMode: &volumeCap,
514+
AccessType: &csi.VolumeCapability_Mount{
515+
Mount: &csi.VolumeCapability_MountVolume{
516+
MountFlags: []string{"ro"},
517+
},
518+
},
519+
},
520+
VolumeId: "vol_1",
521+
TargetPath: targetTest,
522+
StagingTargetPath: sourceTest,
523+
Readonly: false},
524+
expectedErr: testutil.TestError{},
525+
},
526+
{
527+
desc: "[Success] No nil panic when VolumeCapability has no Mount (block access type)",
528+
req: &csi.NodePublishVolumeRequest{
529+
VolumeCapability: &csi.VolumeCapability{
530+
AccessMode: &volumeCap,
531+
},
532+
VolumeId: "vol_1",
533+
TargetPath: targetTest,
534+
StagingTargetPath: sourceTest,
535+
Readonly: false},
536+
expectedErr: testutil.TestError{},
537+
},
479538
}
480539

481540
// Setup

0 commit comments

Comments
 (0)