azurefile-csi-driver icon indicating copy to clipboard operation
azurefile-csi-driver copied to clipboard

Published 20 hours ago β€’ verified publisher icon kubernetes-sigs

[Draft] Add support for confidential pods

Open arc9693 opened this issue 1 year ago β€’ 5 comments

What type of PR is this?

What this PR does / why we need it: Kata-cc is a lightweight VM based runtime for containers. As of now, the azurefile-csi-driver’s persistent storage does not work for kata-cc or confidential pods. The file sharing between host and guest is disabled and therefore the SMB mount on host node does not propagate as expected for the pod. The proposed changes enable the SMB mount inside the guest VM that wraps the confidential pod.

Which issue(s) this PR fixes:

Fixes #

Requirements:

Special notes for your reviewer:

Release note:

none

arc9693 avatar Jul 10 '24 11:07 arc9693

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: andyzhangx / name: Andy Zhang (bb47dce21029f1c62807fb507fdca10d3392552e, f337f3fe04880c8a2c31ea49eea3abd518699455, 6e32cc608ffaad259bbf6dfa772af564d5c3b831, 4b070eb0bf369a5d64dd8551cf9df77ddd5e7238, 3ddde6bcef7921c269bb56af02768dd0e38e0993)
  • :white_check_mark: login: arc9693 / name: Archana Choudhary (a82e15e93f1694cabaef6fd0c502de6e62ef3d04, b3dc119f340faf871099c4c6518b929f6ab67586)

linux-foundation-easycla[bot] avatar Jul 10 '24 11:07 linux-foundation-easycla[bot]

Welcome @arc9693!

It looks like this is your first PR to kubernetes-sigs/azurefile-csi-driver πŸŽ‰. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/azurefile-csi-driver has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. :smiley:

k8s-ci-robot avatar Jul 10 '24 11:07 k8s-ci-robot

Hi @arc9693. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar Jul 10 '24 11:07 k8s-ci-robot

@arc9693 thanks for the PR, can you sign the cla license first? thx

andyzhangx avatar Jul 10 '24 12:07 andyzhangx

/test pull-azurefile-csi-driver-verify

andyzhangx avatar Aug 08 '24 14:08 andyzhangx

/retest

andyzhangx avatar Aug 17 '24 02:08 andyzhangx

/retest

arc9693 avatar Sep 03 '24 21:09 arc9693

/retest

arc9693 avatar Sep 03 '24 21:09 arc9693

/retest

arc9693 avatar Sep 04 '24 19:09 arc9693

/retest

andyzhangx avatar Sep 12 '24 06:09 andyzhangx

/retest

arc9693 avatar Sep 12 '24 11:09 arc9693

/retest

arc9693 avatar Sep 13 '24 09:09 arc9693

/retest

andyzhangx avatar Sep 13 '24 15:09 andyzhangx

/retest

andyzhangx avatar Sep 14 '24 03:09 andyzhangx

@arc9693 thanks for the PR, could you squash all commits first, you could run by git rebase HEAD~23 and then apply.

I am worried that the previous azure file mount functionality would be broken due to this new feature. To be safer, is it possible to add a new parameter into storage class or pv, e.g. enableKataCCMount: "true" (you could replace the feature flag enable-kata-cc-mount with this new parameter), only if this parameter is enabled in pv, then we would perform kata cc mount, I think that would be mush safer.

In brief, kata cc mount would be only performed only if enableKataCCMount is enabled in pv volume, what do you think?

btw, this is similar to comments: https://github.com/kubernetes-sigs/azurefile-csi-driver/pull/1971#discussion_r1745005270, in the end, we have to enable feature flag enable-kata-cc-mount by default to support kata-cc-mount, and if user could enable this feature by using enableKataCCMount parameter in pv, that would be great since majority of the users do not need kata-cc-mount

andyzhangx avatar Sep 16 '24 08:09 andyzhangx

@arc9693 thanks for the PR, could you squash all commits first, you could run by git rebase HEAD~23 and then apply.

I am worried that the previous azure file mount functionality would be broken due to this new feature. To be safer, is it possible to add a new parameter into storage class or pv, e.g. enableKataCCMount: "true" (you could replace the feature flag enable-kata-cc-mount with this new parameter), only if this parameter is enabled in pv, then we would perform kata cc mount, I think that would be mush safer.

In brief, kata cc mount would be only performed only if enableKataCCMount is enabled in pv volume, what do you think?

@andyzhangx I'd like to stress the importance of ensuring the new driver feature works properly with both confidential and non-confidential pods for a smooth user experience, especially for allowing customers to migrate their apps to confidential pods without breaking changes. Therefore, it would be important that an Azure File volume can be mounted on non-confidential pods regardless of the enableKataCCMount flag. On the other hand, mounting on confidential pods should only be possible when the enableKataCCMount flag is enabled in the storage class. This is critical for users who plan to move from non-kata containers to kata containers without losing the mount capability to their existing Azure File mounts.

In other words, here's what I expect:

  • When the enableKataCCMount flag is disabled, Azure File volumes should mount only on non-confidential pods (classic driver functionality)
  • When the enableKataCCMount flag is enabled, Azure File volumes should mount on both non-confidential pods (classic driver functionality) and confidential pods (mount the new "kata" volumes), based on the runtime class of the pod.

andpiccione avatar Sep 16 '24 15:09 andpiccione

@arc9693 thanks for the PR, could you squash all commits first, you could run by git rebase HEAD~23 and then apply.

I am worried that the previous azure file mount functionality would be broken due to this new feature. To be safer, is it possible to add a new parameter into storage class or pv, e.g. enableKataCCMount: "true" (you could replace the feature flag enable-kata-cc-mount with this new parameter), only if this parameter is enabled in pv, then we would perform kata cc mount, I think that would be mush safer.

In brief, kata cc mount would be only performed only if enableKataCCMount is enabled in pv volume, what do you think?

@andyzhangx @arc9693 As interested users of this new functionality, our team would very much prefer a storage class parameter instead of a PV parameter. The storage class parameter would allow us to continue to dynamically create volumes from PVCs without the need for an explicit PV resource; overall, adding the parameter at the storage class level would provide us with more flexibility and allow us to enable this new feature more easily for our existing workloads.

andpiccione avatar Sep 17 '24 01:09 andpiccione

@andpiccione thanks for taking this suggestion, the parameter in storage class would be inherited in pv when pv is created by the driver, so that's the same method. You could take a look at existing PV created by the driver, it would have all parameters inherited from the storage class.

btw, is there a way to detect whether kata-container is enabled on the node? e.g. check whether a specific file exists under /run/kata-containers/

the feature flag would be enabled by default on aks, if there is a way to only enabling kata-container mount in specific node or volumes, that would also help

andyzhangx avatar Sep 17 '24 02:09 andyzhangx

/retest

andyzhangx avatar Oct 09 '24 13:10 andyzhangx

/retest

arc9693 avatar Oct 10 '24 12:10 arc9693

could you fix the windows ut failure:

https://github.com/kubernetes-sigs/azurefile-csi-driver/actions/runs/11254288924/job/31298301887?pr=1971

    nodeserver.go:202: Unexpected call to *azurefile.MockDirectVolume.Remove([D:\a\azurefile-csi-driver\azurefile-csi-driver\pkg\azurefile\error_is_likely_target]) at D:/a/azurefile-csi-driver/azurefile-csi-driver/pkg/azurefile/nodeserver.go:202 because: there are no expected calls of the method "Remove" for that receiver
--- FAIL: TestNodeUnpublishVolume (0.00s)

    nodeserver.go:543: Unexpected call to *azurefile.MockDirectVolume.Remove([D:\a\azurefile-csi-driver\azurefile-csi-driver\pkg\azurefile\error_is_likely_target]) at D:/a/azurefile-csi-driver/azurefile-csi-driver/pkg/azurefile/nodeserver.go:543 because: there are no expected calls of the method "Remove" for that receiver
--- FAIL: TestNodeUnstageVolume (0.00s)

andyzhangx avatar Oct 10 '24 14:10 andyzhangx

/retest

andyzhangx avatar Oct 13 '24 14:10 andyzhangx

/retest

andyzhangx avatar Oct 14 '24 11:10 andyzhangx

/retest

andyzhangx avatar Oct 14 '24 13:10 andyzhangx

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx, arc9693

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Oct 14 '24 14:10 k8s-ci-robot