Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update uid/gid Readme #752

Merged
merged 1 commit into from
Aug 11, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,9 @@ The following CSI interfaces are implemented:
| provisioningMode | efs-ap | | false | Type of volume provisioned by efs. Currently, Access Points are supported. |
| fileSystemId | | | false | File System under which access points are created. |
| directoryPerms | | | false | Directory permissions for [Access Point root directory](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-root-directory-access-point) creation. |
| uid | | | true | POSIX user Id to be applied for [Access Point root directory](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-root-directory-access-point) creation. |
| gid | | | true | POSIX group Id to be applied for [Access Point root directory](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-root-directory-access-point) creation. |
| gidRangeStart | | 50000 | true | Start range of the POSIX group Id to be applied for [Access Point root directory](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-root-directory-access-point) creation. Not used if uid/gid is set. |
| uid | | | true | POSIX user Id to be applied for [Access Point root directory](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-root-directory-access-point) creation and for [user identity enforcement](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-identity-access-points). |
| gid | | | true | POSIX group Id to be applied for [Access Point root directory](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-root-directory-access-point) creation and for [user identity enforcement](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-identity-access-points). |
| gidRangeStart | | 50000 | true | Start range of the POSIX group Id to be applied for [Access Point root directory](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-root-directory-access-point) creation and for [user identity enforcement](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-identity-access-points). Not used if uid/gid is set. For user identity enforcement, this value will be applied as both the uid and the gid. |
| gidRangeEnd | | 7000000 | true | End range of the POSIX group Id. Not used if uid/gid is set. |
| basePath | | | true | Path under which access points for dynamic provisioning is created. If this parameter is not specified, access points are created under the root directory of the file system |
| az | | "" | true | Used for cross-account mount. `az` under storage class parameter is optional. If specified, mount target associated with the az will be used for cross-account mount. If not specified, a random mount target will be picked for cross account mount |
Expand All @@ -42,7 +42,10 @@ The following CSI interfaces are implemented:
* Custom Posix group Id range for Access Point root directory must include both `gidRangeStart` and `gidRangeEnd` parameters. These parameters are optional only if both are omitted. If you specify one, the other becomes mandatory.
* When using a custom Posix group ID range, there is a possibility for the driver to run out of available POSIX group Ids. We suggest ensuring custom group ID range is large enough or create a new storage class with a new file system to provision additional volumes.
* `az` under storage class parameter is not be confused with efs-utils mount option `az`. The `az` mount option is used for cross-az mount or efs one zone file system mount within the same aws account as the cluster.

* Using dynamic provisioning, [user identity enforcement]((https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-identity-access-points)) is always applied.
* When user enforcement is enabled, Amazon EFS replaces the NFS client's user and group IDs with the identity configured on the access point for all file system operations.
* The uid/gid configured on the access point is either the uid/gid specified in the storage class, a value in the gidRangeStart-gidRangeEnd (used as both uid/gid) specified in the storage class, or is a value selected by the driver is no uid/gid or gidRange is specified.
* We suggest using [static provisioning](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/examples/kubernetes/static_provisioning/README.md) if you do not wish to use user identity enforcement.
### Encryption In Transit
One of the advantages of using EFS is that it provides [encryption in transit](https://aws.amazon.com/blogs/aws/new-encryption-of-data-in-transit-for-amazon-efs/) support using TLS. Using encryption in transit, data will be encrypted during its transition over the network to the EFS service. This provides an extra layer of defence-in-depth for applications that requires strict security compliance.

Expand Down
11 changes: 6 additions & 5 deletions pkg/driver/config_dir.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,14 +28,15 @@ import (
// (i.e. when the user does not need to durably store configs and thus does not mount host directories), an empty
// directory will be created at etcAmazonEfs.
//
// - legacyDir is the path to a config directory where previous versions of this driver may have written config
// files. In previous versions of this driver, a host path that was not writeable on Bottlerocket hosts
// was being used, so we introduce preferredDir.
// - legacyDir is the path to a config directory where previous versions of this driver may have written config
// files. In previous versions of this driver, a host path that was not writeable on Bottlerocket hosts
// was being used, so we introduce preferredDir.
//
// - preferredDir is the path to config directory that we will use so long as we do not find files in legacyDir.
//
// - etcAmazonEfs is the path where the symlink will be written. In practice, this will always be /etc/amazon/efs, but
// we take it as an input so the function can be tested.
// - etcAmazonEfs is the path where the symlink will be written. In practice, this will always be /etc/amazon/efs, but
// we take it as an input so the function can be tested.
//
// Examples:
// On a host that has EFS mounts created by an earlier version of this driver, InitConfigDir will detect a conf file in
// legacyDir and write a symlink at etcAmazonEfs pointing to legacyDir.
Expand Down
3 changes: 2 additions & 1 deletion pkg/driver/efs_watch_dog.go
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,8 @@ func (w *execWatchdog) setup(efsClientSource string) error {
return nil
}

/**
/*
*
At image build time, static files installed by efs-utils in the config directory, i.e. CAs file, need
to be saved in another place so that the other stateful files created at runtime, i.e. private key for
client certificate, in the same config directory can be persisted to host with a host path volume.
Expand Down
6 changes: 3 additions & 3 deletions pkg/driver/gid_allocator.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ func NewGidAllocator() GidAllocator {
}
}

//Retrieves the next available GID
// Retrieves the next available GID
func (g *GidAllocator) getNextGid(fsId string, gidMin, gidMax int) (int, error) {
g.mu.Lock()
defer g.mu.Unlock()
Expand Down Expand Up @@ -74,7 +74,7 @@ func (g *GidAllocator) releaseGid(fsId string, gid int) {
gidHeap.Push(gid)
}

//Creates an entry fsIdGidMap if fsId does not exist.
// Creates an entry fsIdGidMap if fsId does not exist.
func (g *GidAllocator) initFsId(fsId string, gidMin, gidMax int) {
h := initHeap(gidMin, gidMax)
heap.Init(h)
Expand All @@ -87,7 +87,7 @@ func (g *GidAllocator) removeFsId(fsId string) {
delete(g.fsIdGidMap, fsId)
}

//Initializes a heap inclusive of min & max
// Initializes a heap inclusive of min & max
func initHeap(min, max int) *IntHeap {
h := make(IntHeap, max-min+1)
val := min
Expand Down
11 changes: 6 additions & 5 deletions pkg/driver/node.go
Original file line number Diff line number Diff line change
Expand Up @@ -375,11 +375,12 @@ func (d *Driver) validateFStype(volCaps []*csi.VolumeCapability) error {

// parseVolumeId accepts a NodePublishVolumeRequest.VolumeId as a colon-delimited string of the
// form `{fileSystemID}:{mountPath}:{accessPointID}`.
// - The `{fileSystemID}` is required, and expected to be of the form `fs-...`.
// - The other two fields are optional -- they may be empty or omitted entirely. For example,
// `fs-abcd1234::`, `fs-abcd1234:`, and `fs-abcd1234` are equivalent.
// - The `{mountPath}`, if specified, is not required to be absolute.
// - The `{accessPointID}` is expected to be of the form `fsap-...`.
// - The `{fileSystemID}` is required, and expected to be of the form `fs-...`.
// - The other two fields are optional -- they may be empty or omitted entirely. For example,
// `fs-abcd1234::`, `fs-abcd1234:`, and `fs-abcd1234` are equivalent.
// - The `{mountPath}`, if specified, is not required to be absolute.
// - The `{accessPointID}` is expected to be of the form `fsap-...`.
//
// parseVolumeId returns the parsed values, of which `subpath` and `apid` may be empty; and an
// error, which will be a `status.Error` with `codes.InvalidArgument`, or `nil` if the `volumeId`
// was parsed successfully.
Expand Down
4 changes: 3 additions & 1 deletion pkg/driver/version.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Expand Down
4 changes: 3 additions & 1 deletion pkg/driver/version_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Expand Down
4 changes: 3 additions & 1 deletion pkg/driver/vol_statter.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Expand Down