Add clarity around ReadWriteMany and CSI volume fsgroup ownership changes

[pwschuurman]

This is a Feature Request

What would you like to be added

Enhance the documentation around volume permissions and ownership change policy for Pods. In the documentation the fsgroup setting is not explicitly defined as only supporting ReadWriteOnce volumes. In the CSI mounter code, fsgroup is ignored if the AccessMode for a PVC is not ReadWriteOnce. This request is to enhance the documentation by adding a note stating this setting is ignored in RWX mode.

Why is this needed This would clarify the use of the fsgroup setting fpr RWX volumes

Comments

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[mattcary]

If that ftn returns false, then I think we fall back to the kubelet fsgroup policy which will apply it for RWX volumes: https://github.com/kubernetes/kubernetes/blob/9e2075b3c87061d25759b0ad112266f03601afd8/pkg/volume/csi/csi_mounter.go#L335

?

[pwschuurman]

I think it's driver dependent. Fsgroup will only be honoured for RWX volumes if the driver supports VOLUME_MOUNT_GROUP. By default for unsupported drivers the Kubelet fsgroup will only be applied if that function (supportsFSGroup) returns true (and the function returns false if the PVC isn't RWO).

[mattcary]

Hmm. I thought I'd seen problems for fsgroup on nfs volumes, though.

[mattcary]

Oh, but if a driver advertises, eg, a File access mode then fsgroup will apply: https://kubernetes-csi.github.io/docs/support-fsgroup.html.

[steve-hardman]

/language en

[pwschuurman]

Oh, but if a driver advertises, eg, a File access mode then fsgroup will apply: https://kubernetes-csi.github.io/docs/support-fsgroup.html.

Yes, I think that's the only way that non-RWO volumes can support fsgroup, by delegating to a (supported) CSI driver

[sftim]

/sig storage

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten