Trident 20.07.1 requires `parameter.fsType` in StorageClasses for iSCSI PVCs (if using fsGroups and Security Context Constraints)
Applies to
Trident 20.07.1 and above
Kubernetes 1.17 and above
iSCSI backends (ONTAP, HCI/SolidFire)
Issue
When installing/upgrading to Trident 20.07.1 and later on Kubernetes >= 1.17, new iSCSI volumes created will not be writable if:
-
The storageClass does not specify
“parameter.fsType”
(AND)
-
The pod using the requested PVC has an
fsGroup
enforced as part of a Security Constraint.
An example podSpec
would look like this:
---
apiVersion: v1
kind: Pod
metadata:
name: sec-ctx-pod
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
persistentVolumeClaim:
claimName: san-pvc
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
A “Permission denied” error is observed when attempting to write to a PV which has a blank fsType:
Name: pvc-b6bf10ac-6731-4b77-9963-b4d5516e4487
Labels: <none>
Annotations: pv.kubernetes.io/provisioned-by: csi.trident.netapp.io
Finalizers: [kubernetes.io/pv-protection external-attacher/csi-trident-netapp-io]
StorageClass: san-undefined-fstype
Status: Bound
Claim: default/san-pvc
Reclaim Policy: Delete
Access Modes: RWO
VolumeMode: Filesystem
Capacity: 100Mi
Node Affinity: <none>
Message:
Source:
Type: CSI (a Container Storage Interface (CSI) volume source)
Driver: csi.trident.netapp.io
FSType:
VolumeHandle: pvc-b6bf10ac-6731-4b77-9963-b4d5516e4487
ReadOnly: false
VolumeAttributes: backendUUID=115dc924-de93-4c8c-91be-5283c15a64f7
internalName=trident_pvc_b6bf10ac_6731_4b77_9963_b4d5516e4487
name=pvc-b6bf10ac-6731-4b77-9963-b4d5516e4487
protocol=block
storage.kubernetes.io/csiProvisionerIdentity=1602620905373-8081-csi.trident.netapp.io
Events: <none>