Skip to content

Support useNodeAuthorization option to enable node authorized client for CSI #4494

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fluid-e2e-bot merged 1 commit into from
Feb 14, 2025
Merged

Support useNodeAuthorization option to enable node authorized client for CSI #4494

fluid-e2e-bot merged 1 commit into from
Feb 14, 2025

Conversation

@TrafalgarZZZ
Copy link
Member

@TrafalgarZZZ TrafalgarZZZ commented Feb 11, 2025
edited
Loading

Ⅰ. Describe what this PR does

  • Add an option to values.yaml to enable node authorized client for CSI. (default value: true)

Background:
Fluid borrows kubelet's kube config to use node authorization to restrict Fluid CSI Plugin's permission. However, in some Kubernetes environment (e.g. AWS EKS), it may need extra effort to correctly configure node authorization.

This PR adds an option in Fluid's chart to allow users to deploy Fluid without using node authorization. This enforces Fluid CSI Plugin to fall back to use standard kubernetes client (based on service account and RBAC).

WARNING: It should be well noted that deploying Fluid without using node authorization promotes Fluid CSI Plugin's permission, and this may lead to potential security issue.

Ⅱ. Does this pull request fix one issue?

fixes #4496

Ⅲ. List the added test cases (unit test/integration test) if any, please explain if no tests are needed.

Ⅳ. Describe how to verify it

Ⅴ. Special notes for reviews

@TrafalgarZZZ
Support useNodeAuthorization option to specify whether or not to us…
3407f40 
…e node authorized client for CSI

Signed-off-by: trafalgarzzz <trafalgarz@outlook.com>
@fluid-e2e-bot
Copy link

fluid-e2e-bot bot commented Feb 11, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@TrafalgarZZZ TrafalgarZZZ marked this pull request as ready for review February 12, 2025 06:52
@TrafalgarZZZ
Copy link
Member Author

TrafalgarZZZ commented Feb 12, 2025

/test fluid-e2e

@cheyang
Copy link
Collaborator

cheyang commented Feb 14, 2025

Ⅰ. Describe what this PR does

  • Add an option to values.yaml to enable node authorized client for CSI. (default value: true)

Background: Fluid borrows kubelet's kube config to use node authorization to restrict Fluid CSI Plugin's permission. However, in some Kubernetes environment (e.g. AWS EKS), it may need extra effort to correctly configure node authorization.

This PR adds an option in Fluid's chart to allow users to deploy Fluid without using node authorization. This enforces Fluid CSI Plugin to fall back to use standard kubernetes client (based on service account and RBAC).

WARNING: It should be well noted that deploying Fluid without using node authorization promotes Fluid CSI Plugin's permission, and this may lead to potential security issue.

Ⅱ. Does this pull request fix one issue?

fixes #4496

Ⅲ. List the added test cases (unit test/integration test) if any, please explain if no tests are needed.

Ⅳ. Describe how to verify it

Ⅴ. Special notes for reviews

@cheyang cheyang closed this Feb 14, 2025
@cheyang cheyang reopened this Feb 14, 2025
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 14, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

cheyang
cheyang approved these changes Feb 14, 2025
View reviewed changes
Copy link
Collaborator

@cheyang cheyang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@fluid-e2e-bot fluid-e2e-bot bot added the lgtm label Feb 14, 2025
@fluid-e2e-bot
Copy link

fluid-e2e-bot bot commented Feb 14, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cheyang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fluid-e2e-bot fluid-e2e-bot bot merged commit e6fda73 into fluid-cloudnative:master Feb 14, 2025
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cheyang cheyang cheyang approved these changes

Assignees

@cheyang cheyang

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURES] Support deploying Fluid without node authorization

2 participants

@TrafalgarZZZ @cheyang