feat: disable kataCCMount by default

fix

Makefile

@@ -28,7 +28,7 @@ CSI_IMAGE_TAG ?= $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION)
 CSI_IMAGE_TAG_LATEST = $(REGISTRY)/$(IMAGE_NAME):latest
 BUILD_DATE ?= $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
 LDFLAGS ?= "-X ${PKG}/pkg/azurefile.driverVersion=${IMAGE_VERSION} -X ${PKG}/pkg/azurefile.gitCommit=${GIT_COMMIT} -X ${PKG}/pkg/azurefile.buildDate=${BUILD_DATE} -s -w -extldflags '-static'"
-E2E_HELM_OPTIONS ?= --set image.azurefile.repository=$(REGISTRY)/$(IMAGE_NAME) --set image.azurefile.tag=$(IMAGE_VERSION) --set linux.dnsPolicy=ClusterFirstWithHostNet --set driver.userAgentSuffix="e2e-test"
+E2E_HELM_OPTIONS ?= --set image.azurefile.repository=$(REGISTRY)/$(IMAGE_NAME) --set image.azurefile.tag=$(IMAGE_VERSION) --set node.enableKataCCMount=true --set linux.dnsPolicy=ClusterFirstWithHostNet --set driver.userAgentSuffix="e2e-test"
 E2E_HELM_OPTIONS += ${EXTRA_HELM_OPTIONS}
 ifdef KUBERNETES_VERSION # disable kubelet-registration-probe on capz cluster testing
 E2E_HELM_OPTIONS += --set linux.enableRegistrationProbe=false --set windows.enableRegistrationProbe=false

charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml

@@ -136,6 +136,7 @@ spec:
             - "--mount-permissions={{ .Values.linux.mountPermissions }}"
             - "--allow-inline-volume-key-access-with-identity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}"
             - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}"
+            - "--enable-kata-cc-mount={{ .Values.node.enableKataCCMount }}"
           livenessProbe:
             failureThreshold: 5
             httpGet:
@@ -193,6 +194,10 @@ spec:
               mountPath: /etc/pki/ca-trust/extracted
               readOnly: true
             {{- end }}
+            {{- if .Values.node.enableKataCCMount }}
+            - mountPath: /run/kata-containers/shared/direct-volumes
+              name: kata-direct-volumes
+            {{- end }}
           resources: {{- toYaml .Values.linux.resources.azurefile | nindent 12 }}
       volumes:
         - hostPath:
@@ -223,4 +228,10 @@ spec:
           hostPath:
             path: /etc/pki/ca-trust/extracted
         {{- end }}
+        {{- if .Values.node.enableKataCCMount }}
+        - name: kata-direct-volumes
+          hostPath:
+            path: /run/kata-containers/shared/direct-volumes/
+            type: DirectoryOrCreate
+        {{- end }}
 {{- end -}}

charts/latest/azurefile-csi-driver/templates/rbac-csi-azurefile-node.yaml

@@ -26,49 +26,26 @@ roleRef:
   kind: ClusterRole
   name: csi-{{ .Values.rbac.name }}-node-secret-role
   apiGroup: rbac.authorization.k8s.io
-{{ end }}
 ---
+{{- if Values.node.enableKataCCMount -}}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-{{ .Values.rbac.name }}-node-pod-role
+  name: csi-{{ .Values.rbac.name }}-node-katacc-role
   labels:
     {{- include "azurefile.labels" . | nindent 4 }}
 rules:
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-{{ .Values.rbac.name }}-node-pod-binding
-  labels:
-    {{- include "azurefile.labels" . | nindent 4 }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Values.serviceAccount.node }}
-    namespace: {{ .Release.Namespace }}
-roleRef:
-  kind: ClusterRole
-  name: csi-{{ .Values.rbac.name }}-node-pod-role
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: csi-{{ .Values.rbac.name }}-node-rc-role
-  labels:
-    {{- include "azurefile.labels" . | nindent 4 }}
-rules:
   - apiGroups: ["node.k8s.io"]
     resources: ["runtimeclasses"]
     verbs: ["get", "list"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-{{ .Values.rbac.name }}-node-rc-binding
+  name: csi-{{ .Values.rbac.name }}-node-katacc-binding
   labels:
     {{- include "azurefile.labels" . | nindent 4 }}
 subjects:
@@ -77,6 +54,8 @@ subjects:
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: csi-{{ .Values.rbac.name }}-node-rc-role
+  name: csi-{{ .Values.rbac.name }}-node-katacc-role
   apiGroup: rbac.authorization.k8s.io
 ---
+{{ end }}
+{{ end }}

charts/latest/azurefile-csi-driver/values.yaml

@@ -116,6 +116,7 @@ node:
   cloudConfigSecretNamespace: kube-system
   allowEmptyCloudConfig: true
   allowInlineVolumeKeyAccessWithIdentity: false
+  enableKataCCMount: false
   metricsPort: 29615
   livenessProbe:
     healthPort: 29613

deploy/csi-azurefile-node.yaml

@@ -100,6 +100,7 @@ spec:
             - "--endpoint=$(CSI_ENDPOINT)"
             - "--nodeid=$(KUBE_NODE_NAME)"
             - "--metrics-address=0.0.0.0:29615"
+            - "--enable-kata-cc-mount=true"
           livenessProbe:
             failureThreshold: 5
             httpGet:

deploy/rbac-csi-azurefile-controller.yaml

@@ -193,25 +193,3 @@ roleRef:
   name: csi-azurefile-controller-secret-role
   apiGroup: rbac.authorization.k8s.io
 ---
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-azurefile-controller-pod-role
-rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-azurefile-controller-pod-binding
-subjects:
-  - kind: ServiceAccount
-    name: csi-azurefile-controller-sa
-    namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: csi-azurefile-controller-pod-role
-  apiGroup: rbac.authorization.k8s.io
----

deploy/rbac-csi-azurefile-node.yaml

@@ -32,44 +32,29 @@ roleRef:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-azurefile-node-pod-role
+  name: csi-{{ .Values.rbac.name }}-node-katacc-role
+  labels:
+    {{- include "azurefile.labels" . | nindent 4 }}
 rules:
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-azurefile-node-pod-binding
-subjects:
-  - kind: ServiceAccount
-    name: csi-azurefile-node-sa
-    namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: csi-azurefile-node-pod-role
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: csi-azurefile-node-rc-role
-rules:
   - apiGroups: ["node.k8s.io"]
     resources: ["runtimeclasses"]
     verbs: ["get", "list"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-azurefile-node-rc-binding
+  name: csi-{{ .Values.rbac.name }}-node-katacc-binding
+  labels:
+    {{- include "azurefile.labels" . | nindent 4 }}
 subjects:
   - kind: ServiceAccount
-    name: csi-azurefile-node-sa
-    namespace: kube-system
+    name: {{ .Values.serviceAccount.node }}
+    namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: csi-azurefile-node-rc-role
+  name: csi-{{ .Values.rbac.name }}-node-katacc-role
   apiGroup: rbac.authorization.k8s.io
 ---

hack/verify-yamllint.sh

@@ -21,7 +21,7 @@ fi
 LOG=/tmp/yamllint.log
 helmPath=charts/latest/azurefile-csi-driver/templates
 
-for path in "deploy/*.yaml" "deploy/example/*.yaml" "deploy/example/snapshot/*.yaml" "deploy/example/disk/*.yaml" "deploy/example/windows/*.yaml" "deploy/example/metrics/*.yaml" "deploy/example/largeFileShares/*.yaml" "deploy/example/smb-provisioner/*.yaml" "deploy/example/cloning/*.yaml"
+for path in "deploy/*.yaml" "deploy/example/*.yaml" "deploy/example/snapshot/*.yaml" "deploy/example/disk/*.yaml" "deploy/example/windows/*.yaml" "deploy/example/metrics/*.yaml" "deploy/example/largeFileShares/*.yaml" "deploy/example/smb-provisioner/*.yaml" "deploy/example/cloning/*.yaml" "deploy/example-cc/*.yaml"
 do
     echo "checking yamllint under path: $path ..."
     yamllint -f parsable $path | grep -v "line too long" > $LOG

pkg/azurefile/azurefile.go

@@ -234,6 +234,7 @@ type Driver struct {
 	appendNoResvPortOption                 bool
 	appendActimeoOption                    bool
 	printVolumeStatsCallLogs               bool
+	enableKataCCMount                      bool
 	mounter                                *mount.SafeFormatAndMount
 	server                                 *grpc.Server
 	// lock per volume attach (only for vhd disk feature)
@@ -294,6 +295,7 @@ func NewDriver(options *DriverOptions) *Driver {
 	driver.enableVHDDiskFeature = options.EnableVHDDiskFeature
 	driver.enableVolumeMountGroup = options.EnableVolumeMountGroup
 	driver.enableGetVolumeStats = options.EnableGetVolumeStats
+	driver.enableKataCCMount = options.EnableKataCCMount
 	driver.appendMountErrorHelpLink = options.AppendMountErrorHelpLink
 	driver.mountPermissions = options.MountPermissions
 	driver.fsGroupChangePolicy = options.FSGroupChangePolicy

pkg/azurefile/azurefile_options.go

@@ -68,7 +68,7 @@ func (o *DriverOptions) AddFlags() *flag.FlagSet {
 	fs.BoolVar(&o.EnableVHDDiskFeature, "enable-vhd", true, "enable VHD disk feature (experimental)")
 	fs.BoolVar(&o.EnableVolumeMountGroup, "enable-volume-mount-group", true, "indicates whether enabling VOLUME_MOUNT_GROUP")
 	fs.BoolVar(&o.EnableGetVolumeStats, "enable-get-volume-stats", true, "allow GET_VOLUME_STATS on agent node")
-	fs.BoolVar(&o.EnableKataCCMount, "enable-kata-cc-mount", true, "enable Kata Confidential Containers mount")
+	fs.BoolVar(&o.EnableKataCCMount, "enable-kata-cc-mount", false, "enable Kata Confidential Containers mount")
 	fs.BoolVar(&o.AppendMountErrorHelpLink, "append-mount-error-help-link", true, "Whether to include a link for help with mount errors when a mount error occurs.")
 	fs.Uint64Var(&o.MountPermissions, "mount-permissions", 0777, "mounted folder permissions")
 	fs.StringVar(&o.FSGroupChangePolicy, "fsgroup-change-policy", "", "indicates how the volume's ownership will be changed by the driver, OnRootMismatch is the default value")

pkg/azurefile/azurefile_test.go

@@ -63,6 +63,7 @@ func NewFakeDriver() *Driver {
 		KubeConfig:                  "",
 		Endpoint:                    "tcp://127.0.0.1:0",
 		WaitForAzCopyTimeoutMinutes: 1,
+		EnableKataCCMount:           true,
 	}
 	driver := NewDriver(&driverOptions)
 	driver.Name = fakeDriverName

pkg/azurefile/nodeserver.go

@@ -100,48 +100,50 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 			}
 		}
 
-		enableKataCCMount := getValueInMap(context, enableKataCCMountField)
-		if enableKataCCMount == "" {
-			enableKataCCMount = falseValue
-		}
-		enableKataCCMountVal, err := strconv.ParseBool(enableKataCCMount)
-		if err != nil {
-			return &csi.NodePublishVolumeResponse{}, err
-		}
-		if enableKataCCMountVal && context[podNameField] != "" && context[podNamespaceField] != "" {
-			runtimeClass, err := getRuntimeClassForPodFunc(ctx, d.cloud.KubeClient, context[podNameField], context[podNamespaceField])
-			if err != nil {
-				klog.Errorf("failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
-				return &csi.NodePublishVolumeResponse{}, nil
+		if d.enableKataCCMount {
+			enableKataCCMount := getValueInMap(context, enableKataCCMountField)
+			if enableKataCCMount == "" {
+				enableKataCCMount = falseValue
 			}
-			klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with runtimeClass %s", volumeID, target, runtimeClass)
-			isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.cloud.KubeClient, runtimeClass)
+			enableKataCCMountVal, err := strconv.ParseBool(enableKataCCMount)
 			if err != nil {
-				return nil, status.Errorf(codes.Internal, "failed to check if runtime class %s is confidential: %v", runtimeClass, err)
+				return &csi.NodePublishVolumeResponse{}, err
 			}
-			if isConfidentialRuntimeClass {
-				klog.V(2).Infof("NodePublishVolume for volume(%s) where runtimeClass %s is kata-cc", volumeID, runtimeClass)
-				source := req.GetStagingTargetPath()
-				if len(source) == 0 {
-					return nil, status.Error(codes.InvalidArgument, "Staging target not provided")
-				}
-				// Load the mount info from staging area
-				mountInfo, err := d.directVolume.VolumeMountInfo(source)
+			if enableKataCCMountVal && context[podNameField] != "" && context[podNamespaceField] != "" {
+				runtimeClass, err := getRuntimeClassForPodFunc(ctx, d.cloud.KubeClient, context[podNameField], context[podNamespaceField])
 				if err != nil {
-					return nil, status.Errorf(codes.Internal, "failed to load mount info from %s: %v", source, err)
-				}
-				if mountInfo == nil {
-					return nil, status.Errorf(codes.Internal, "mount info is nil for volume %s", volumeID)
+					klog.Errorf("failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
+					return &csi.NodePublishVolumeResponse{}, nil
 				}
-				data, err := json.Marshal(mountInfo)
+				klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with runtimeClass %s", volumeID, target, runtimeClass)
+				isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.cloud.KubeClient, runtimeClass)
 				if err != nil {
-					return nil, status.Errorf(codes.Internal, "failed to marshal mount info %s: %v", source, err)
+					return nil, status.Errorf(codes.Internal, "failed to check if runtime class %s is confidential: %v", runtimeClass, err)
 				}
-				if err = d.directVolume.Add(target, string(data)); err != nil {
-					return nil, status.Errorf(codes.Internal, "failed to save mount info %s: %v", target, err)
+				if isConfidentialRuntimeClass {
+					klog.V(2).Infof("NodePublishVolume for volume(%s) where runtimeClass %s is kata-cc", volumeID, runtimeClass)
+					source := req.GetStagingTargetPath()
+					if len(source) == 0 {
+						return nil, status.Error(codes.InvalidArgument, "Staging target not provided")
+					}
+					// Load the mount info from staging area
+					mountInfo, err := d.directVolume.VolumeMountInfo(source)
+					if err != nil {
+						return nil, status.Errorf(codes.Internal, "failed to load mount info from %s: %v", source, err)
+					}
+					if mountInfo == nil {
+						return nil, status.Errorf(codes.Internal, "mount info is nil for volume %s", volumeID)
+					}
+					data, err := json.Marshal(mountInfo)
+					if err != nil {
+						return nil, status.Errorf(codes.Internal, "failed to marshal mount info %s: %v", source, err)
+					}
+					if err = d.directVolume.Add(target, string(data)); err != nil {
+						return nil, status.Errorf(codes.Internal, "failed to save mount info %s: %v", target, err)
+					}
+					klog.V(2).Infof("NodePublishVolume: direct volume mount %s at %s successfully", source, target)
+					return &csi.NodePublishVolumeResponse{}, nil
 				}
-				klog.V(2).Infof("NodePublishVolume: direct volume mount %s at %s successfully", source, target)
-				return &csi.NodePublishVolumeResponse{}, nil
 			}
 		}
 	}
@@ -197,10 +199,13 @@ func (d *Driver) NodeUnpublishVolume(_ context.Context, req *csi.NodeUnpublishVo
 		return nil, status.Errorf(codes.Internal, "failed to unmount target %s: %v", targetPath, err)
 	}
 
-	// Remove deletes the direct volume path including all the files inside it.
-	// if there is no kata-cc mountinfo present on this path, it will return nil.
-	if err := d.directVolume.Remove(targetPath); err != nil {
-		return nil, status.Errorf(codes.Internal, "failed to direct volume remove mount info %s: %v", targetPath, err)
+	if d.enableKataCCMount {
+		klog.V(2).Infof("NodeUnstageVolume: remove direct volume mount info %s from %s", volumeID, targetPath)
+		// Remove deletes the direct volume path including all the files inside it.
+		// if there is no kata-cc mountinfo present on this path, it will return nil.
+		if err := d.directVolume.Remove(targetPath); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to direct volume remove mount info %s: %v", targetPath, err)
+		}
 	}
 
 	klog.V(2).Infof("NodeUnpublishVolume: unmount volume %s on %s successfully", volumeID, targetPath)
@@ -428,7 +433,7 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 	}
 
 	// If runtime OS is not windows and protocol is not nfs, save mountInfo.json
-	if enableKataCCMount {
+	if d.enableKataCCMount && enableKataCCMount {
 		if runtime.GOOS != "windows" && protocol != nfs {
 			// Check if mountInfo.json is already present at the targetPath
 			isMountInfoPresent, err := d.directVolume.VolumeMountInfo(cifsMountPath)
@@ -539,9 +544,11 @@ func (d *Driver) NodeUnstageVolume(_ context.Context, req *csi.NodeUnstageVolume
 		}
 	}
 
-	klog.V(2).Infof("NodeUnstageVolume:remove direct volume mount info %s from %s", volumeID, stagingTargetPath)
-	if err := d.directVolume.Remove(stagingTargetPath); err != nil {
-		return nil, status.Errorf(codes.Internal, "failed to remove mount info %s: %v", stagingTargetPath, err)
+	if d.enableKataCCMount {
+		klog.V(2).Infof("NodeUnstageVolume: remove direct volume mount info %s from %s", volumeID, stagingTargetPath)
+		if err := d.directVolume.Remove(stagingTargetPath); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to remove mount info %s: %v", stagingTargetPath, err)
+		}
 	}
 
 	klog.V(2).Infof("NodeUnstageVolume: unmount volume %s on %s successfully", volumeID, stagingTargetPath)

pkg/azurefile/nodeserver_test.go

@@ -346,7 +346,9 @@ func TestNodeUnpublishVolume(t *testing.T) {
 			desc: "[Success] Valid request",
 			req:  csi.NodeUnpublishVolumeRequest{TargetPath: targetFile, VolumeId: "vol_1"},
 			setup: func() {
-				mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
+				if runtime.GOOS != "windows" {
+					mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
+				}
 			},
 			expectedErr: testutil.TestError{},
 		},
@@ -891,7 +893,9 @@ func TestNodeUnstageVolume(t *testing.T) {
 			desc: "[Success] Valid request",
 			req:  csi.NodeUnstageVolumeRequest{StagingTargetPath: targetFile, VolumeId: "vol_1"},
 			setup: func() {
-				mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
+				if runtime.GOOS != "windows" {
+					mockDirectVolume.EXPECT().Remove(targetFile).Return(nil)
+				}
 			},
 			expectedErr: testutil.TestError{},
 		},