search

kubernetes / cloud-provider-openstack

Apache License 2.0
623 stars 611 forks source link

[cinder-csi]: allow node service to run without openstack client #2655

Closed kayrus closed 2 months ago

kayrus commented 2 months ago

What this PR does / why we need it:

This PR allows to run cinder-csi-plugin node service without requiring the openstack credentials.

Which issue this PR fixes(if applicable): fixes #2599 supersedes #2640

Special notes for reviewers:

This PR will be used to backport to 1.31

Release note:

This PR is intended to improve the cinder CSI driver security.

[cinder-csi]: allow node service to run without openstack client
kayrus commented 2 months ago

Waiting for #2648 to be merged

kayrus commented 2 months ago

@zetaab @dulek ready for review. This is a compromise for the #2640 PR, which is more readable and easy to backport (see #2656). I believe this can be considered as a security improvement in cases, when a controller is running in a secure isolated environment (another k8s cluster) and a node service is running in a consumer's cluster.

I checked the pkg/csi/cinder/nodeserver.go code and a new noop_openstack.go code should be fully compatible without a significant code rewrite.

k8s-ci-robot commented 2 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: zetaab

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes/cloud-provider-openstack/blob/master/OWNERS)~~ [zetaab] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
zetaab commented 2 months ago

/lgtm

zetaab commented 2 months ago

/cherry-pick release-1.31

k8s-infra-cherrypick-robot commented 2 months ago

@zetaab: once the present PR merges, I will cherry-pick it on top of release-1.31 in a new PR and assign it to you.

In response to [this](https://github.com/kubernetes/cloud-provider-openstack/pull/2655#issuecomment-2357795222): >/cherry-pick release-1.31 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
k8s-infra-cherrypick-robot commented 2 months ago

@zetaab: new pull request created: #2662

In response to [this](https://github.com/kubernetes/cloud-provider-openstack/pull/2655#issuecomment-2357795222): >/cherry-pick release-1.31 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.