Skip to content

Support exposing user, group and perm patterns#560

Open
treydock wants to merge 2 commits intorancher:masterfrom
treydock:patterns
Open

Support exposing user, group and perm patterns#560
treydock wants to merge 2 commits intorancher:masterfrom
treydock:patterns

Conversation

@treydock
Copy link

@treydock treydock commented Mar 3, 2026

This is still untested but the idea is to allow the setup command to be this:

install -d -u $VOL_USER -g $VOL_GROUP -m $VOL_PERM $VOL_DIR

We are overloading local-path-provisioner to allow PVC storage onto our cluster filesystems and having root:root and 0777 on a shared resource is far from ideal especially when we sometimes deal with very sensitive data on our clusters where a 0777 directory behind a 0700 directory still raises red flags.

@treydock treydock marked this pull request as ready for review March 4, 2026 18:25
@treydock
Copy link
Author

treydock commented Mar 4, 2026

This has been verified.

# kubectl get storageclass local-ess -o yaml
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  annotations:
    allowUnsafePathPattern: "true"
    defaultVolumeType: hostPath
    groupPattern: '{{ index .PVC.Labels "osc.edu/service-account-gid" }}'
    meta.helm.sh/release-name: local-path-provisioner
    meta.helm.sh/release-namespace: local-path-provisioner
    permPattern: '{{ or (index .PVC.Annotations "osc.edu/volume-permission") "0750" }}'
    storageclass.kubernetes.io/is-default-class: "false"
    userPattern: '{{ index .PVC.Labels "osc.edu/service-account-uid" }}'
  creationTimestamp: "2026-03-04T17:45:11Z"
  labels:
    app.kubernetes.io/instance: local-path-provisioner
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: local-path-provisioner
    app.kubernetes.io/version: v0.0.34
    helm.sh/chart: local-path-provisioner-0.0.34-osc-r1
  name: local-ess
  resourceVersion: "1412207233"
  uid: 57e1886e-de29-48df-8f78-676cf727a1aa
parameters:
  pathPattern: '{{ index .PVC.Annotations "osc.edu/fileset" }}/kubernetes-dev-{{ .PVC.Namespace }}-{{ .PVC.Name }}'
provisioner: cluster.local/local-path-provisioner
reclaimPolicy: Delete
volumeBindingMode: Immediate

The following PVC was used to test:

$ kubectl get pvc -n tdockendorf test-ess -o yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"PersistentVolumeClaim","metadata":{"annotations":{"osc.edu/fileset":"PZS0708"},"name":"test-ess","namespace":"tdockendorf"},"spec":{"accessModes":["ReadWriteMany"],"resources":{"requests":{"storage":"8Gi"}},"storageClassName":"local-ess"}}
    osc.edu/fileset: PZS0708
    pv.kubernetes.io/bind-completed: "yes"
    pv.kubernetes.io/bound-by-controller: "yes"
    volume.beta.kubernetes.io/storage-provisioner: cluster.local/local-path-provisioner
    volume.kubernetes.io/storage-provisioner: cluster.local/local-path-provisioner
  creationTimestamp: "2026-03-04T18:26:40Z"
  finalizers:
  - kubernetes.io/pvc-protection
  labels:
    osc.edu/service-account: tdockendorf
    osc.edu/service-account-gid: "5509"
    osc.edu/service-account-uid: "20821"
  name: test-ess
  namespace: tdockendorf
  resourceVersion: "1412210949"
  uid: 0b4d7b5a-0909-4a8d-9bac-a71435df3c32
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 8Gi
  storageClassName: local-ess
  volumeMode: Filesystem
  volumeName: pvc-0b4d7b5a-0909-4a8d-9bac-a71435df3c32
status:
  accessModes:
  - ReadWriteMany
  capacity:
    storage: 8Gi
  phase: Bound

The resulting directory:

$ ls -la /fs/ess/PZS0708/kubernetes-dev-tdockendorf-test-ess/
total 1
drwxr-x---+ 2 tdockendorf PZS0708 4096 Mar  4 13:26 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@treydock