pb-7504: make NFS job pod to use root for resource backup #391
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
OSS Scan Results:
Total issues: 142 |
|
License Evaluation Results:
Total License Issues: 17 |
pkg/drivers/utils/utils.go
Outdated
| // Checks if the cluster is GCP hosted cluster. | ||
| func IsGcpHostedCluster() (bool, error) { | ||
| // Any GCP hosted cluster be it vanilla , OCP or GKE | ||
| // it is expected to have a ProviderId in its spec witha prefix of "gce" |
pkg/drivers/nfsrestore/nfsrestore.go
Outdated
|
|
||
| // check the cluster is GCP based or not | ||
| isGcpBasedCluster, err := utils.IsGcpHostedCluster() | ||
| if err != nil { |
There was a problem hiding this comment.
Do we need this fix for restore as well? for restore, we need only read permission rt?
There was a problem hiding this comment.
good catch we don't need it.
pkg/drivers/utils/utils.go
Outdated
|
|
||
| for _, node := range nodes.Items { | ||
| providerID := node.Spec.ProviderID | ||
| if strings.HasPrefix(providerID, "gce://") { |
There was a problem hiding this comment.
nit: can we make the "gce://" as string constant definition?
lalat-das
force-pushed
the
pb-7504-gke-group-permission-issue
branch
from
c898e5e to
6ef74cc
Compare
|
OSS Scan Results:
Total issues: 142 |
|
License Evaluation Results:
Total License Issues: 17 |
- When we use GCP based file store as NFS backup location, the job pod using that doesn't have write permission for group user, this causes the non-root user permission denied error during backup and restore. - This is GKE specific behaviour hence a check added to force all job pod to run as a root user eradicating the permission denied error. Signed-off-by: Lalatendu Das <[email protected]>
lalat-das
force-pushed
the
pb-7504-gke-group-permission-issue
branch
from
6ef74cc to
e893f55
Compare
|
OSS Scan Results:
Total issues: 142 |
|
License Evaluation Results:
Total License Issues: 17 |
lalat-das
requested review from
siva-portworx,
vsundarraj-px,
vikasit12 and
pallav-px
siva-portworx
approved these changes
Jul 30, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When we use GCP based file store as NFS backup location, the job pod using that doesn't have write permission for group user, this causes the non-root user permission denied error during backup and restore.
This is GKE specific behaviour hence a check added to force all job pod to run as a root user eradicating the permission denied error.
What this PR does / why we need it: This PR fixes the GKE resource backup and restore path wherein if NFS backup location is used then it will not use non-root user in any case. Hence no security context will be added.
Which issue(s) this PR fixes (optional)
Closes # pb-7504
Special notes for your reviewer:
Tested with kdmp volume + resource and then resource only
restore of the same