search

kubernetes-csi / csi-driver-nfs

This driver allows Kubernetes to access NFS server on Linux node.
Apache License 2.0
826 stars 246 forks source link

[Feature request] add ssh tunnel support #429

Closed jear closed 7 months ago

jear commented 1 year ago

I still have SSH tunnel to access NFSv3 mounts.

Typically :

ssh -i /tmp/id_rsa_datafabric.pem -o 'StrictHostKeyChecking no' -4 usr@my-nfs-ip.nip.io -L 2049:localhost:2049 -N -f \
&& ssh -i /tmp/id_rsa_datafabric.pem -o 'StrictHostKeyChecking no' -4 usr@my-nfs-ip.nip.io -L 111:localhost:111 -N -f \
&& mount -v -t nfs -o vers=3,port=2049,nolock,rw,proto=tcp,mountproto=tcp localhost:/my-fabric/my-tenant/my-nfs_vol /mnt/nfs

This solution is requiring privileged securityContext set to true. To avoid I need to use NFS CSI driver.

The solution would consist to add SSH tunnels support to this CSI project.

Describe alternatives you've considered https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner https://stackoverflow.com/questions/64574328/how-to-mount-kerberised-nfs-on-kubernetes https://docs.docker.com.xy2401.com/ee/ucp/kubernetes/storage/use-nfs-volumes/

oreissig commented 1 year ago

Is this the same as https://github.com/kubernetes-csi/csi-driver-nfs/issues/390?

jear commented 1 year ago

this is indeed similar : the solution should be k8s-distro agnostic ( because users don't necessarily have an account in a public cloud ), i.e. from an IAM perspective, uid/gid is coming from external AD/LDAP... Today my solution is to store the ssh private key in an external secret management system ( Vault ) and store the token to access Vault in an opaque secret, injected by trusted users.

k8s-triage-robot commented 1 year ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 8 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 7 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 7 months ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-csi/csi-driver-nfs/issues/429#issuecomment-1951524426): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.