From 5b578e8573f023914f831ad2420988a27bb65172 Mon Sep 17 00:00:00 2001 From: Raunak Pradip Shah Date: Wed, 30 Mar 2022 10:20:55 +0530 Subject: [PATCH] - Introduce new flag to enable feature to prevent unauthorised volume mode conversion - Changes to snapshot controller to read the volume mode from the PV and add it to SourceVolumeMode field in VolumeSnapshotContent --- cmd/snapshot-controller/main.go | 2 ++ pkg/common-controller/framework_test.go | 1 + pkg/common-controller/snapshot_controller.go | 14 ++++++++++++++ pkg/common-controller/snapshot_controller_base.go | 4 ++++ 4 files changed, 21 insertions(+) diff --git a/cmd/snapshot-controller/main.go b/cmd/snapshot-controller/main.go index 0ff18498..1c91bfc6 100644 --- a/cmd/snapshot-controller/main.go +++ b/cmd/snapshot-controller/main.go @@ -70,6 +70,7 @@ var ( retryIntervalStart = flag.Duration("retry-interval-start", time.Second, "Initial retry interval of failed volume snapshot creation or deletion. It doubles with each failure, up to retry-interval-max. Default is 1 second.") retryIntervalMax = flag.Duration("retry-interval-max", 5*time.Minute, "Maximum retry interval of failed volume snapshot creation or deletion. Default is 5 minutes.") enableDistributedSnapshotting = flag.Bool("enable-distributed-snapshotting", false, "Enables each node to handle snapshotting for the local volumes created on that node") + preventVolumeModeConversion = flag.Bool("prevent-volume-mode-conversion", false, "Prevents an unauthorised user from modifying the volume mode when creating a PVC from an existing VolumeSnapshot.") ) var ( @@ -187,6 +188,7 @@ func main() { workqueue.NewItemExponentialFailureRateLimiter(*retryIntervalStart, *retryIntervalMax), workqueue.NewItemExponentialFailureRateLimiter(*retryIntervalStart, *retryIntervalMax), *enableDistributedSnapshotting, + *preventVolumeModeConversion, ) if err := ensureCustomResourceDefinitionsExist(snapClient); err != nil { diff --git a/pkg/common-controller/framework_test.go b/pkg/common-controller/framework_test.go index ab86cb92..dd05977c 100644 --- a/pkg/common-controller/framework_test.go +++ b/pkg/common-controller/framework_test.go @@ -844,6 +844,7 @@ func newTestController(kubeClient kubernetes.Interface, clientset clientset.Inte workqueue.NewItemExponentialFailureRateLimiter(1*time.Millisecond, 1*time.Minute), workqueue.NewItemExponentialFailureRateLimiter(1*time.Millisecond, 1*time.Minute), false, + false, ) ctrl.eventRecorder = record.NewFakeRecorder(1000) diff --git a/pkg/common-controller/snapshot_controller.go b/pkg/common-controller/snapshot_controller.go index 4c8dd026..9e07e505 100644 --- a/pkg/common-controller/snapshot_controller.go +++ b/pkg/common-controller/snapshot_controller.go @@ -684,6 +684,20 @@ func (ctrl *csiSnapshotCommonController) createSnapshotContent(snapshot *crdv1.V } } + if ctrl.preventVolumeModeConversion { + volumeMode := volume.Spec.VolumeMode + if volumeMode != nil { + snapshotContent.Spec.SourceVolumeMode = new(crdv1.SourceVolumeMode) + switch *volumeMode { + case v1.PersistentVolumeBlock: + *snapshotContent.Spec.SourceVolumeMode = crdv1.SourceVolumeModeBlock + case v1.PersistentVolumeFilesystem: + *snapshotContent.Spec.SourceVolumeMode = crdv1.SourceVolumeModeFilesystem + } + } + klog.V(5).Infof("snapcontent %s has volume mode %s", snapshotContent.Name, *snapshotContent.Spec.SourceVolumeMode) + } + // Set AnnDeletionSecretRefName and AnnDeletionSecretRefNamespace if snapshotterSecretRef != nil { klog.V(5).Infof("createSnapshotContent: set annotation [%s] on content [%s].", utils.AnnDeletionSecretRefName, snapshotContent.Name) diff --git a/pkg/common-controller/snapshot_controller_base.go b/pkg/common-controller/snapshot_controller_base.go index 7ff128a9..c53fd737 100644 --- a/pkg/common-controller/snapshot_controller_base.go +++ b/pkg/common-controller/snapshot_controller_base.go @@ -68,6 +68,7 @@ type csiSnapshotCommonController struct { resyncPeriod time.Duration enableDistributedSnapshotting bool + preventVolumeModeConversion bool } // NewCSISnapshotController returns a new *csiSnapshotCommonController @@ -84,6 +85,7 @@ func NewCSISnapshotCommonController( snapshotRateLimiter workqueue.RateLimiter, contentRateLimiter workqueue.RateLimiter, enableDistributedSnapshotting bool, + preventVolumeModeConversion bool, ) *csiSnapshotCommonController { broadcaster := record.NewBroadcaster() broadcaster.StartLogging(klog.Infof) @@ -138,6 +140,8 @@ func NewCSISnapshotCommonController( ctrl.nodeListerSynced = nodeInformer.Informer().HasSynced } + ctrl.preventVolumeModeConversion = preventVolumeModeConversion + return ctrl }