Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / a8938da203b9ecc42a61b4aa9e92b802bf0e4902^! / . / metropolis / node / kubernetes / reconciler / resources_storageclass.go
commita8938da203b9ecc42a61b4aa9e92b802bf0e4902[log] [tgz]
authorTim Windelschmidt <tim@monogon.tech>Fri Sep 13 22:34:01 2024 +0200
committerTim Windelschmidt <tim@monogon.tech>Mon Nov 11 16:03:55 2024 +0000
tree52c8f2971cc6ce50b9bf17a490a7defbf66e69d2
parent9eab31ccbba4a2db416e4c5c387d22ec672ea92f [diff] [blame]
metropolis/node/kubernetes: add mountOptions support for PVs

We have very strict defaults on our data mount which prevents exec's and
suid binaries. By adding support for mountOptions on PVs we enable
the user to allow specific behaviour e.g. exec's on the given PV.

Change-Id: I902cf3b9dafb14598cddc18c327ef3f5bcd6450b
Reviewed-on: https://review.monogon.dev/c/monogon/+/3421
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Tested-by: Jenkins CI

diff --git a/metropolis/node/kubernetes/reconciler/resources_storageclass.go b/metropolis/node/kubernetes/reconciler/resources_storageclass.go
index b242bbf..36dee1c 100644
--- a/metropolis/node/kubernetes/reconciler/resources_storageclass.go
+++ b/metropolis/node/kubernetes/reconciler/resources_storageclass.go

@@ -66,12 +66,41 @@
 				Labels: builtinLabels(nil),
 				Annotations: map[string]string{
 					"storageclass.kubernetes.io/is-default-class": "true",
+					"kubernetes.io/description": "local is the default storage class on Metropolis. " +
+						"It stores data on the node root disk and supports space limits, resizing and oversubscription but no snapshots. " +
+						"It is backed by XFS and uses permissive mounting options (exec,dev,suid). " +
+						"If you want more strict mounting options, chose the `local-strict` storage class.",
 				},
 			},
 			AllowVolumeExpansion: True(),
 			Provisioner:          csiProvisionerName,
 			ReclaimPolicy:        &reclaimPolicyDelete,
 			VolumeBindingMode:    &waitForConsumerBinding,
+			MountOptions: []string{
+				"exec",
+				"dev",
+				"suid",
+			},
+		},
+		&storage.StorageClass{
+			ObjectMeta: meta.ObjectMeta{
+				Name:   "local-strict",
+				Labels: builtinLabels(nil),
+				Annotations: map[string]string{
+					"storageclass.kubernetes.io/is-default-class": "false",
+					"kubernetes.io/description": "local-strict is the same as local (see its description) but uses strict mount options (noexec, nodev, nosuid). " +
+						"It is best used together with readOnlyRoot to restrict exploitation vectors.",
+				},
+			},
+			AllowVolumeExpansion: True(),
+			Provisioner:          csiProvisionerName,
+			ReclaimPolicy:        &reclaimPolicyDelete,
+			VolumeBindingMode:    &waitForConsumerBinding,
+			MountOptions: []string{
+				"noexec",
+				"nodev",
+				"nosuid",
+			},
 		},
 	}
 }