search

oracle / oci-cloud-controller-manager

Kubernetes Cloud Controller Manager implementation for Oracle Cloud Infrastructure
Apache License 2.0
135 stars 85 forks source link

Add support to specify NSGs for Mount Targets provisioned by the CCM #459

Closed robo-cap closed 5 months ago

robo-cap commented 5 months ago

FEATURE REQUEST

In the current implementation is not possible to set the NSG for the Mount Targets created using the OCI CCM CSI.

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: fss-dyn-storage
provisioner: fss.csi.oraclecloud.com
parameters:
  availabilityDomain: US-ASHBURN-AD-1
  mountTargetSubnetOcid: ocid1.subnet.oc1.iad.aaaaaaaa2xpk______zva
  compartmentOcid: ocid1.compartment.oc1..aaaaaaaay______t6q
  kmsKeyOcid: ocid1.key.oc1.iad.anntl______usjh
  exportPath: /FileSystem1
  exportOptions: "[{\"source\":\"0.0.0.0/0\",\"requirePrivilegedSourcePort\":false,\"access\":\"READ_WRITE\",\"identitySquash\":\"NONE\"}]"
  encryptInTransit: "true"

Versions

CCM Version: v1.28.0

Environment:

What happened?

There is no annotation available to specify the NSG.

What you expect to happen?

An annotation should be supported considering the least privilege access.

How to reproduce it (as minimally and precisely as possible)?

Anything else we need to know?

mrunalpagnis commented 5 months ago

NSGs are associated with Mount Target Subnet. The mount target subnet is not managed by CCM/CSI. This is by design, subnet and NSGs management by CSI will not be supported.

mrunalpagnis commented 5 months ago

Clarifying after talking over DM. This is a feature request for associating Mount Target with an existing NSG ref - https://docs.oracle.com/en-us/iaas/Content/File/Tasks/create-mount-target.htm This is a feature request for CSI and not CCM. @robo-cap will be following up with Product as well.