nfs: add support for modifying clients parameter via VolumeAttributesClass#6219
nfs: add support for modifying clients parameter via VolumeAttributesClass#6219nixpanic wants to merge 5 commits intoceph:develfrom
Conversation
|
/test ci/centos/k8s-e2e-external-storage/1.35/cephfs |
100405b to
c27e00a
Compare
|
/test ci/centos/k8s-e2e-external-storage/1.35/cephfs |
|
/test ci/centos/mini-e2e-helm/k8s-1.35/cephfs |
|
/test ci/centos/mini-e2e-helm/k8s-1.35/nfs |
|
/test ci/centos/mini-e2e-helm/k8s-1.35 |
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
|
from the logs: Still investigating why this happened. |
c27e00a to
05387b2
Compare
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
05387b2 to
d09bc7c
Compare
|
/test ci/centos/mini-e2e/k8s-1.35/nfs |
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
d09bc7c to
c98cc9e
Compare
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
1 similar comment
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
1daa523 to
9df6b50
Compare
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
9df6b50 to
67f7e3c
Compare
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
67f7e3c to
736d84f
Compare
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
736d84f to
b5925aa
Compare
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
b5925aa to
43a9782
Compare
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
|
/test ci/centos/mini-e2e/k8s-1.34/cephfs |
The ControllerModifyVolume CSI procedure can now be used to modify the `clients` parameter that was originally configured in the StorageClass. The SetClients() method uses the NFS Admin API to update the export on the cluster (via ExportInfo + ApplyExportInfo) and stores the value in the journal for persistence. Assisted-by: AskBob <askbob@ibm.com> Signed-off-by: Niels de Vos <ndevos@ibm.com>
Add comprehensive e2e test that verifies the clients parameter can be modified using VolumeAttributesClass. The test: - Creates a volume with restrictive clients (1.1.1.1) - Verifies that an app fails to mount with restrictive settings - Updates the clients parameter via VolumeAttributesClass to allow all clients (0.0.0.0/0) - Verifies that the app successfully mounts after the update The test runs just before the cleanup phase to ensure proper test sequencing. Assisted-by: AskBob <askbob@ibm.com> Signed-off-by: Niels de Vos <ndevos@ibm.com>
Signed-off-by: Niels de Vos <ndevos@ibm.com>
Signed-off-by: Niels de Vos <ndevos@ibm.com>
/!\ DO NOT MERGE This uses a personal branch for testing. Signed-off-by: Niels de Vos <ndevos@ibm.com>
43a9782 to
af268d8
Compare
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 ⛓️ Depends-On RequirementsWonderful, this rule succeeded.Requirement based on the presence of
|
Describe what this PR does
This PR adds support for modifying the NFS
clientsparameter using VolumeAttributesClass. This allows administrators to update the list of hostnames, networks, or IP addresses that are allowed to access an NFS export after the volume has been created, without needing to recreate the volume.The implementation includes:
clientsparameter inControllerModifyVolumeCSI methodSetClients()in the NFSVolume type to persist the clients list in the export configurationIs there anything that requires special attention
Kubernetes Version Requirement: This feature requires Kubernetes >= 1.34, as VolumeAttributesClass is a newer Kubernetes feature. The E2E test includes a version check to skip on older clusters.
Backward Compatibility: This change is fully backward compatible. The
clientsparameter remains optional and existing volumes continue to work without modification. The feature only activates when a VolumeAttributesClass is applied to update the parameter.Security Consideration: Administrators should be aware that updating the
clientsparameter can expand or restrict access to NFS exports. The E2E test demonstrates both restrictive and permissive configurations to validate proper behavior.Related issues
This PR implements support for modifying NFS export access controls dynamically, which is useful for scenarios where access requirements change after volume provisioning.
Depends-on: ceph/go-ceph#1261
Future concerns
secType)clientsparameter format to catch configuration errors earlyShow available bot commands
These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:
/retest ci/centos/<job-name>: retest the<job-name>after unrelatedfailure (please report the failure too!)