fix: secret namespace searching issue #528

andyzhangx · 2021-10-02T02:42:45Z

What type of PR is this?
/kind bug

What this PR does / why we need it:
fix: secret namespace searching issue
if node identity does not have permission to list storage account key, it would fail to mount, this PR fixed the issue.

Which issue(s) this PR fixes:

Fixes #

Requirements:

uses conventional commit messages
includes documentation
adds unit tests
tested upgrade from previous version

Special notes for your reviewer:

I1001 15:34:44.671778       1 utils.go:114] GRPC call: /csi.v1.Node/NodeStageVolume
I1001 15:34:44.671797       1 utils.go:115] GRPC request: {"staging_target_path":"/var/lib/kubelet/plugins/kubernetes.io/csi/pv/blob-694-blob.csi.azure.com-preprovsioned-pv-4wzwn/globalmount","volume_capability":{"AccessType":{"Mount":{}},"access_mode":{"mode":5}},"volume_id":"kubetest-rimgvzsp#fused9a41945a0154b6fbfd#pre-provisioned-multiple-pods1633102415563718032#pre-provisioned-multiple-pods1633102415563718032"}
I1001 15:34:44.671897       1 blob.go:327] volumeID(kubetest-rimgvzsp#fused9a41945a0154b6fbfd#pre-provisioned-multiple-pods1633102415563718032#pre-provisioned-multiple-pods1633102415563718032) authEnv: []
I1001 15:34:44.678140       1 round_trippers.go:454] GET https://10.0.0.1:443/api/v1/namespaces/default/secrets/azure-storage-account-fused9a41945a0154b6fbfd-secret 404 Not Found in 6 milliseconds
I1001 15:34:44.678227       1 blob.go:370] get account(fused9a41945a0154b6fbfd) key from secret(default, azure-storage-account-fused9a41945a0154b6fbfd-secret) failed with error: could not get secret(azure-storage-account-fused9a41945a0154b6fbfd-secret): secrets "azure-storage-account-fused9a41945a0154b6fbfd-secret" not found, use cluster identity to get account key instead
I1001 15:34:44.740101       1 nodeserver.go:289] target /var/lib/kubelet/plugins/kubernetes.io/csi/pv/blob-694-blob.csi.azure.com-preprovsioned-pv-4wzwn/globalmount
protocol

volumeId kubetest-rimgvzsp#fused9a41945a0154b6fbfd#pre-provisioned-multiple-pods1633102415563718032#pre-provisioned-multiple-pods1633102415563718032
context map[]
mountflags []
mountOptions [--tmp-path=/mnt/kubetest-rimgvzsp#fused9a41945a0154b6fbfd#pre-provisioned-multiple-pods1633102415563718032#pre-provisioned-multiple-pods1633102415563718032#1633102484 --container-name=pre-provisioned-multiple-pods1633102415563718032 --pre-mount-validate=true --use-https=true --cancel-list-on-mount-seconds=60]
args /var/lib/kubelet/plugins/kubernetes.io/csi/pv/blob-694-blob.csi.azure.com-preprovsioned-pv-4wzwn/globalmount --tmp-path=/mnt/kubetest-rimgvzsp#fused9a41945a0154b6fbfd#pre-provisioned-multiple-pods1633102415563718032#pre-provisioned-multiple-pods1633102415563718032#1633102484 --container-name=pre-provisioned-multiple-pods1633102415563718032 --pre-mount-validate=true --use-https=true --cancel-list-on-mount-seconds=60
I1001 15:34:44.740144       1 nodeserver.go:129] mouting using blobfuse proxy
I1001 15:34:44.740699       1 nodeserver.go:142] calling BlobfuseProxy: MountAzureBlob function
E1001 15:34:44.841275       1 nodeserver.go:145] GRPC call returned with an error:rpc error: code = Unknown desc = exit status 1
E1001 15:34:44.841310       1 nodeserver.go:311] Mount failed with error: rpc error: code = Unknown desc = exit status 1, output:
E1001 15:34:44.841414       1 utils.go:119] GRPC error: Mount failed with error: rpc error: code = Unknown desc = exit status 1, output:


Oct 01 15:32:19 k8s-agentpool1-13157012-1 blobfuse-proxy[6463]: I1001 15:32:19.669420    6463 server.go:53] received mount request: Mounting with args /var/lib/kubelet/plugins/kubernetes.io/csi/pv/blob-8081-blob.csi.azure.com-preprovsioned-pv-s8fx9/globalmount --pre-mount-validate=true --use-https=true --cancel-list-on-mount-seconds=60 --tmp-path=/mnt/kubetest-rimgvzsp#fused9a41945a0154b6fbfd#pre-provisioned-readonly#pre-provisioned-readonly#1633102339 --container-name=pre-provisioned-readonly
Oct 01 15:32:19 k8s-agentpool1-13157012-1 blobfuse-proxy[6463]: E1001 15:32:19.745407    6463 server.go:61] blobfuse mount failed: with error:exit status 1
Oct 01 15:32:19 k8s-agentpool1-13157012-1 blobfuse-proxy[6463]: I1001 15:32:19.745663    6463 server.go:66] blobfuse output: fuse: unknown option `--pre-mount-validate=true'

Release note:

fix: secret namespace searching issue

k8s-ci-robot · 2021-10-02T02:43:04Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [andyzhangx]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

andyzhangx · 2021-10-02T03:59:45Z

/hold

fix: secret namespace searching issue

6f3fc65

k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 2, 2021

k8s-ci-robot requested review from feiskyer and ZeroMagic October 2, 2021 02:43

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 2, 2021

k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 2, 2021

andyzhangx merged commit 03eb784 into kubernetes-sigs:master Oct 2, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: secret namespace searching issue #528

fix: secret namespace searching issue #528

andyzhangx commented Oct 2, 2021 •

edited

Loading

k8s-ci-robot commented Oct 2, 2021

andyzhangx commented Oct 2, 2021

fix: secret namespace searching issue #528

fix: secret namespace searching issue #528

Conversation

andyzhangx commented Oct 2, 2021 • edited Loading

k8s-ci-robot commented Oct 2, 2021

andyzhangx commented Oct 2, 2021

andyzhangx commented Oct 2, 2021 •

edited

Loading