Capability to set filesystem permissions for mounted volumes

[seifrajhi]

What happened:

I am not able to change the permissions of the files mounted using azure-file-csi-persistent in azure provider. My directory are getting mounted as root with 770 permissions, while I want my mounted files to have 750 permissions and nonroot user.

I want to avoid ownership changes of the mount volume /app from azure-file-csi-persistent storage class inside my pod?

I created the following in my Dockerfile:

RUN groupadd nonroot -g 2000 && \
    useradd -r -M -s /sbin/nologin -g nonroot -c nonroot nonroot -u 1000 && \
RUN mkdir /app \
    && chown nonroot:nonroot /home /app \
    && chmod 750 /app
USER nonroot

However, it is mounted with 50000:root ownership when I check inside the pod, which I think is inherited from CSI. Here is the CSI configuration:

mountOptions:
  - dir_mode=0770
  - file_mode=0770
  - uid=50000
  - gid=0
  - actimeo=30
  - nosharesock

What you expected to happen:

I expected the /app directory to retain the 1000:2000 ownership set in the Dockerfile, rather than being overridden by the CSI mount options.

How to reproduce it:

1. Create a Dockerfile with the specified user and group settings.
2. Deploy a pod with a volume mounted using the specified CSI configuration.
3. Check the ownership of the mounted directory inside the pod.

Anything else we need to know?:

Any guidance on using fsGroup and/or fsGroupChangePolicy to maintain the desired ownership would be greatly appreciated.

Environment:

• CSI Driver version: v1.29.8
• Kubernetes version (use kubectl version): Client Version: v1.30.3, Server Version: v1.28.13
• OS (e.g. from /etc/os-release):
• Kernel (e.g. uname -a):
• Install tools:
• Others:

[andyzhangx]

archived from the discussion in slack: currently the CSI driver would only do one smb mount one PV on the node, and you could set up two PVs referencing the same file share with different mountOptions to solve the issue.