commit 456961d6589c1afec75954ca94ed631e1f380566
author Lorenz Brun <lorenz@monogon.tech> Tue Feb 20 13:18:26 2024 +0100
committer Lorenz Brun <lorenz@monogon.tech> Tue Feb 20 18:12:12 2024 +0000
tree ac99bfa39deefe0f4aca7478077a66ef8b7c9d74
parent 1e90c6d29a4af63fa01b472b7a49bdba256797b2

m/n/k/reconciler: set fsGroupPolicy for CSI driver

This fixes an issue where kubelet did not apply fsGroupChangePolicy due
to questionable capability detection code with the default
fsGroupPolicy. Setting this to the File policy asserts that this driver
always supports ownership changes and thus bypasses that Kubernetes
capability detection code.

Change-Id: I4799a01561af4f3d9c0de7a6040fd5f9db784d3e
Reviewed-on: https://review.monogon.dev/c/monogon/+/2784
Tested-by: Jenkins CI
Reviewed-by: Tim Windelschmidt <tim@monogon.tech>

metropolis/node/kubernetes/reconciler/resources_csi.go

diff --git a/metropolis/node/kubernetes/reconciler/resources_csi.go b/metropolis/node/kubernetes/reconciler/resources_csi.go
index 04d52a8..24939f0 100644
--- a/metropolis/node/kubernetes/reconciler/resources_csi.go
+++ b/metropolis/node/kubernetes/reconciler/resources_csi.go
@@ -57,6 +57,7 @@
 }
 
 func (r resourceCSIDrivers) Expected() map[string]interface{} {
+	fsGroupPolicy := storage.FileFSGroupPolicy
 	return map[string]interface{}{
 		csiProvisionerName: &storage.CSIDriver{
 			ObjectMeta: meta.ObjectMeta{
@@ -67,6 +68,8 @@
 				AttachRequired:       False(),
 				PodInfoOnMount:       False(),
 				VolumeLifecycleModes: []storage.VolumeLifecycleMode{storage.VolumeLifecyclePersistent},
+				// TODO(#288): Make sure this gets applied to existing clusters
+				FSGroupPolicy: &fsGroupPolicy,
 			},
 		},
 	}