cloud-provider-openstack icon indicating copy to clipboard operation
cloud-provider-openstack copied to clipboard
verified publisher icon kubernetes

[cinder-csi-plugin] node server should not use openstack credentials by default

Open kayrus opened this issue 5 years ago • 22 comments

Is this a BUG REPORT or FEATURE REQUEST?:

/kind feature

What happened:

Cinder CSI node server tries to create an openstack client based on cloud-config, when usually this is not necessary, since all openstack related communications are done on csi controller side.

What you expected to happen:

I expect CSI cinder node server not to use openstack credentials, when it is not necessary and respect the https://github.com/kubernetes/kubernetes/blob/08e1fd3bb947faf465e8a67d5c7106dbd10840c0/pkg/apis/core/types.go#L1607 and https://github.com/kubernetes/kubernetes/blob/08e1fd3bb947faf465e8a67d5c7106dbd10840c0/pkg/apis/core/types.go#L1664..L1670 API. So when ephemeral storage is requested, user must provide secret reference via pod manifest or storage manifest.

In addition, node server manifest should not refer to secrets. The node server configuration should be done via configMap. See discussion here: https://github.com/kubernetes/cloud-provider-openstack/pull/861#issuecomment-585645374

Anything else we need to know?:

https://github.com/kubernetes-csi/external-attacher/pull/38

https://kubernetes-csi.github.io/docs/secrets-and-credentials.html

openstack client is used in functions listed below:

  • nodePublishEphermeral
  • nodeUnpublishEphermeral
  • NodeStageVolume
  • NodeUnstageVolume
  • NodePublishVolume
  • NodeUnpublishVolume

/cc @rfranzke

kayrus avatar Apr 09 '20 15:04 kayrus

/cc @adisky

rfranzke avatar Apr 09 '20 15:04 rfranzke

just to confirm, the overall idea is to use secret or related info to avoid usage of cloud-config, but still need the provided secret to do communication with openstck side(in other words ,the mechanism of communication between CSI node + openstack is not changed, how to provide cloud definition will be changed, correct?)

jichenjc avatar Apr 13 '20 02:04 jichenjc

Initial idea was to start nodeserver without secrets. It may be required by security purpose. Additionally, follow CSI spec and configure openstack client from secrets, provided in storageclass manifest when possible.

For now I'm confident that secrets are required by ephemeral inline storage. Nodeserver may work fine without secrets and ephemeral storage support.

The rest functions are:

  • NodeStageVolume
  • NodeUnstageVolume
  • NodePublishVolume
  • NodeUnpublishVolume

I haven't managed to clarify their purpose. But it would be fine if it is nodeserver just return an error, when openstack API operation is not possible.

kayrus avatar Apr 13 '20 06:04 kayrus

@kayrus we need to use openstack credentials for some of the operations in nodeserver . As per the https://kubernetes-csi.github.io/docs/secrets-and-credentials.html , secret is required at the "per driver" granularity (not different "per CSI operation" or "per volume"), then the secret SHOULD be injected directly in to CSI driver pods via standard Kubernetes secret distribution mechanisms during deployment. This is the way we are doing it currently , so it is fine.

IIUC, secrets needs to be provided per storageclass only when needed credentials per volume/per operation If a CSI Driver requires secrets "per CSI operation" or "per volume" or "per storage pool", the CSI spec allows secrets to be passed in for various CSI operations. Cluster admins can populate such secrets by creating Kubernetes Secret objects and specifying the keys in the StorageClass or SnapshotClass objects (Ref: https://kubernetes-csi.github.io/docs/secrets-and-credentials.html)

updating slack discussion on questions you asked:

  • do you agree that nodeserver must start without secrets? ramineni: we could explore this option, more investigation needed if this can be done without breaking the driver.
  • do you agree that cloud-config should be split into two parts: config and secret? ramineni: yes, this would make sense

ramineni avatar Apr 13 '20 09:04 ramineni

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot avatar Jul 12 '20 09:07 fejta-bot

/remove-lifecycle stale

ramineni avatar Jul 13 '20 04:07 ramineni

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot avatar Oct 11 '20 04:10 fejta-bot

/remove-lifecycle stale

ramineni avatar Oct 12 '20 04:10 ramineni

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot avatar Jan 10 '21 04:01 fejta-bot

/remove-lifecycle stale

ramineni avatar Jan 11 '21 05:01 ramineni

See an aws node controller for reference: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/deploy/kubernetes/base/node.yaml It doesn't have secrets

kayrus avatar Feb 12 '21 13:02 kayrus

/assign Explore nodeserver to be started without need of secrets

ramineni avatar May 11 '21 10:05 ramineni

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Aug 09 '21 10:08 k8s-triage-robot

/remove-lifecycle stale

ramineni avatar Aug 23 '21 10:08 ramineni

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 21 '21 10:11 k8s-triage-robot

/remove-lifecycle stale

ramineni avatar Nov 24 '21 03:11 ramineni

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Feb 22 '22 04:02 k8s-triage-robot

/remove-lifecycle stale

ramineni avatar Feb 22 '22 05:02 ramineni

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar May 23 '22 06:05 k8s-triage-robot

/remove-lifecycle stale

jichenjc avatar May 23 '22 06:05 jichenjc

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Aug 21 '22 07:08 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Sep 20 '22 07:09 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-triage-robot avatar Oct 20 '22 07:10 k8s-triage-robot

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Oct 20 '22 07:10 k8s-ci-robot

It looks to me like node servers needed secrets for ephemeral storage, but ephemeral storage was removed in https://github.com/openshift/openstack-cinder-csi-driver-operator/pull/76 . Does this mean the requirement to have secrets on the nodes is gone?

puck avatar Jul 20 '23 04:07 puck