csi-driver-nfs icon indicating copy to clipboard operation
csi-driver-nfs copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-csi

NFS CSI Driver is recommended over NFS in-tree Driver

Open LSuDavidd opened this issue 9 months ago • 11 comments

To configure NFS storage, you can use the in-tree driver or the NFS CSI driver for Kubernetes (recommended).

My questions are:

  1. Why the NFS CSI driver is recommended over the NFS in-tree driver?
  2. Is there any known plan of deprecating the NFS in-tree driver ?
  3. If I don't need dynamic storage provisioning is there any advantage of using the NFS CSI driver over the NFS in-tree driver?

Why it is recommended I am not exactly getting. Can Anyone Support me by giving proper answer.

LSuDavidd avatar Mar 06 '25 06:03 LSuDavidd

According to my investigation The CSI helps Kubernetes replace built-in storage drivers, especially vendor-specific ones. Since Kubernetes v1.13, CSI has made it easier to add and manage storage integrations.

CSI improves maintainability by allowing storage driver developers to control their updates and support. It also enhances security by reducing built-in code, lowering risks, and letting cluster operators choose only the needed storage drivers. NFS CSI Driver reduce risk with less in-tree code, the risks of a mistake are reduced, and cluster operators can select only the storage drivers that their cluster requires

niranjandarshann avatar Mar 06 '25 07:03 niranjandarshann

3. If I don't need dynamic storage provisioning is there any advantage of using the NFS CSI driver over the NFS in-tree driver?

Yes, even if you don't need dynamic storage provisioning, using the NFS CSI driver has advantages over the NFS in-tree driver. As CSI drivers are safer because they include only the necessary drivers, reducing security risks. So, it's recommended to use CSI drivers instead of in-tree drivers.

niranjandarshann avatar Mar 06 '25 07:03 niranjandarshann

Documentation NFS Driver https://github.com/kubernetes-csi/csi-driver-nfs https://kubernetes.io/blog/2019/12/09/kubernetes-1-17-feature-csi-migration-beta/#why-are-we-migrating-in-tree-plugins-to-csi I think it will be helpful for your concern.

niranjandarshann avatar Mar 06 '25 07:03 niranjandarshann

Thank you for your answer @niranjandarshann . Moving drivers out of the tree increases the security of the Kubernetes codebase because less code means fewer bugs. However, I cannot see how this implies that CSI drivers are more secure than in-tree drivers. But Opposite can also be True. Isnt it?

What Do You Think On it.

LSuDavidd avatar Mar 06 '25 07:03 LSuDavidd

  • Is there any known plan of deprecating the NFS in-tree driver ?

Do We have any? @niranjandarshann

LSuDavidd avatar Mar 06 '25 07:03 LSuDavidd

Thank you for your answer @niranjandarshann . Moving drivers out of the tree increases the security of the Kubernetes codebase because less code means fewer bugs. However, I cannot see how this implies that CSI drivers are more secure than in-tree drivers. But Opposite can also be True. Isnt it?

What Do You Think On it.

What I think is after CSI drivers came , the kubernetes code became less vulnerable, and since every vendor can have separate release cycles the frequency for updating the driver related changes became independent which in turn can make CSI drivers less vulnerable. Though what you said also might be correct depending on how quick the vendor fixes their code.

niranjandarshann avatar Mar 06 '25 08:03 niranjandarshann

  • Is there any known plan of deprecating the NFS in-tree driver ?

Do We have any? @niranjandarshann

Refer this https://github.com/kubernetes-csi/csi-driver-nfs/issues/873#issuecomment-2703074913 It will help you in getting response for this .

niranjandarshann avatar Mar 06 '25 08:03 niranjandarshann

What I think is after CSI drivers came , the kubernetes code became less vulnerable, and since every vendor can have separate release cycles the frequency for updating the driver related changes became independent which in turn can make CSI drivers less vulnerable. Though what you said also might be correct depending on how quick the vendor fixes their code.

Ok Understood. Tks! for your investigation

LSuDavidd avatar Mar 06 '25 09:03 LSuDavidd

Refer this #873 (comment) It will help you in getting response for this .

Got You Tks (thanks) @niranjandarshann

LSuDavidd avatar Mar 06 '25 09:03 LSuDavidd

@niranjandarshann @LSuDavidd Of relevance, this NFS CSI Driver is positioned as generic / vendor-agnostic for native NFS storage protocol connectivity (by virtue of it's name and description) but is not - see #736

sean-freeman avatar Mar 11 '25 13:03 sean-freeman

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jun 09 '25 14:06 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Jul 09 '25 15:07 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-triage-robot avatar Aug 08 '25 16:08 k8s-triage-robot

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar Aug 08 '25 16:08 k8s-ci-robot