nfs: add support for modifying clients parameter via VolumeAttributesClass#6219
Draft
nixpanic wants to merge 5 commits intoceph:develfrom
Draft
nfs: add support for modifying clients parameter via VolumeAttributesClass#6219nixpanic wants to merge 5 commits intoceph:develfrom
nixpanic wants to merge 5 commits intoceph:develfrom
Conversation
Member
Author
|
/test ci/centos/k8s-e2e-external-storage/1.35/cephfs |
nixpanic
commented
Apr 2, 2026
nixpanic
force-pushed
the
ai/bob/nfs/ControllerModifyVolume/clients
branch
6 times, most recently
from
100405b to
c27e00a
Compare
Member
Author
|
/test ci/centos/k8s-e2e-external-storage/1.35/cephfs |
Member
Author
|
/test ci/centos/mini-e2e-helm/k8s-1.35/cephfs |
Member
Author
|
/test ci/centos/mini-e2e-helm/k8s-1.35/nfs |
Member
Author
|
/test ci/centos/mini-e2e-helm/k8s-1.35 |
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
Member
Author
|
from the logs: Still investigating why this happened. |
nixpanic
force-pushed
the
ai/bob/nfs/ControllerModifyVolume/clients
branch
from
c27e00a to
05387b2
Compare
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
nixpanic
force-pushed
the
ai/bob/nfs/ControllerModifyVolume/clients
branch
from
05387b2 to
d09bc7c
Compare
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.35/nfs |
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
nixpanic
force-pushed
the
ai/bob/nfs/ControllerModifyVolume/clients
branch
from
d09bc7c to
c98cc9e
Compare
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
1 similar comment
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
nixpanic
force-pushed
the
ai/bob/nfs/ControllerModifyVolume/clients
branch
from
1daa523 to
9df6b50
Compare
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
nixpanic
force-pushed
the
ai/bob/nfs/ControllerModifyVolume/clients
branch
from
9df6b50 to
67f7e3c
Compare
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
nixpanic
force-pushed
the
ai/bob/nfs/ControllerModifyVolume/clients
branch
from
67f7e3c to
736d84f
Compare
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
nixpanic
force-pushed
the
ai/bob/nfs/ControllerModifyVolume/clients
branch
from
736d84f to
b5925aa
Compare
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
nixpanic
force-pushed
the
ai/bob/nfs/ControllerModifyVolume/clients
branch
from
b5925aa to
43a9782
Compare
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.34/cephfs |
The ControllerModifyVolume CSI procedure can now be used to modify the `clients` parameter that was originally configured in the StorageClass. The SetClients() method uses the NFS Admin API to update the export on the cluster (via ExportInfo + ApplyExportInfo) and stores the value in the journal for persistence. Assisted-by: AskBob <askbob@ibm.com> Signed-off-by: Niels de Vos <ndevos@ibm.com>
Add comprehensive e2e test that verifies the clients parameter can be modified using VolumeAttributesClass. The test: - Creates a volume with restrictive clients (1.1.1.1) - Verifies that an app fails to mount with restrictive settings - Updates the clients parameter via VolumeAttributesClass to allow all clients (0.0.0.0/0) - Verifies that the app successfully mounts after the update The test runs just before the cleanup phase to ensure proper test sequencing. Assisted-by: AskBob <askbob@ibm.com> Signed-off-by: Niels de Vos <ndevos@ibm.com>
Signed-off-by: Niels de Vos <ndevos@ibm.com>
Signed-off-by: Niels de Vos <ndevos@ibm.com>
/!\ DO NOT MERGE This uses a personal branch for testing. Signed-off-by: Niels de Vos <ndevos@ibm.com>
nixpanic
force-pushed
the
ai/bob/nfs/ControllerModifyVolume/clients
branch
from
43a9782 to
af268d8
Compare
Member
Author
|
/test ci/centos/mini-e2e/k8s-1.35/cephfs |
Contributor
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 ⛓️ Depends-On RequirementsWonderful, this rule succeeded.Requirement based on the presence of
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Describe what this PR does
This PR adds support for modifying the NFS
clientsparameter using VolumeAttributesClass. This allows administrators to update the list of hostnames, networks, or IP addresses that are allowed to access an NFS export after the volume has been created, without needing to recreate the volume.The implementation includes:
clientsparameter inControllerModifyVolumeCSI methodSetClients()in the NFSVolume type to persist the clients list in the export configurationIs there anything that requires special attention
Kubernetes Version Requirement: This feature requires Kubernetes >= 1.34, as VolumeAttributesClass is a newer Kubernetes feature. The E2E test includes a version check to skip on older clusters.
Backward Compatibility: This change is fully backward compatible. The
clientsparameter remains optional and existing volumes continue to work without modification. The feature only activates when a VolumeAttributesClass is applied to update the parameter.Security Consideration: Administrators should be aware that updating the
clientsparameter can expand or restrict access to NFS exports. The E2E test demonstrates both restrictive and permissive configurations to validate proper behavior.Related issues
This PR implements support for modifying NFS export access controls dynamically, which is useful for scenarios where access requirements change after volume provisioning.
Depends-on: ceph/go-ceph#1261
Future concerns
secType)clientsparameter format to catch configuration errors earlyShow available bot commands
These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:
/retest ci/centos/<job-name>: retest the<job-name>after unrelatedfailure (please report the failure too!)