Support useNodeAuthorization option to specify whether or not to use node authorized client for CSI (#4494)

Signed-off-by: trafalgarzzz <trafalgarz@outlook.com>

Author: TrafalgarZZZ

charts/fluid/fluid/templates/csi/daemonset.yaml

@@ -112,6 +112,7 @@ spec:
           - name: fluid-src-dir
             mountPath: {{ .Values.runtime.mountRoot | quote }}
             mountPropagation: "HostToContainer"
+          {{- if .Values.csi.useNodeAuthorization }}
           - name: kubelet-kube-config
             mountPath: /etc/kubernetes/kubelet.conf
             mountPropagation: "HostToContainer"
@@ -123,6 +124,7 @@ spec:
             mountPath: {{ .Values.csi.kubelet.certDir | quote }}
             readOnly: true
           {{- end }}
+          {{- end }}
           - name: updatedb-conf
             mountPath: /host-etc/updatedb.conf
           - name: updatedb-conf-bak
@@ -132,12 +134,19 @@ spec:
           hostPath:
             path: {{ .Values.csi.kubelet.rootDir | quote }}
             type: Directory
+        {{- if .Values.csi.useNodeAuthorization }}
+        {{- $kubeletRootDir := ternary ( .Values.csi.kubelet.rootDir ) ( print .Values.csi.kubelet.rootDir "/" ) ( hasSuffix "/" .Values.csi.kubelet.rootDir ) }}
         {{- if not ( hasPrefix $kubeletRootDir .Values.csi.kubelet.certDir ) }}
         - name: kubelet-cert-dir
           hostPath:
             path: {{ .Values.csi.kubelet.certDir | quote }}
             type: Directory
         {{- end }}
+        - name: kubelet-kube-config
+          hostPath:
+            path: {{ .Values.csi.kubelet.kubeConfigFile | quote }}
+            type: File
+        {{- end }}
         - name: plugin-dir
           hostPath:
             path: {{ .Values.csi.kubelet.rootDir }}/plugins/csi-fluid-plugin
@@ -150,10 +159,6 @@ spec:
             path: {{ .Values.runtime.mountRoot | quote }}
             type: DirectoryOrCreate
           name: fluid-src-dir
-        - hostPath:
-            path: {{ .Values.csi.kubelet.kubeConfigFile | quote }}
-            type: File
-          name: kubelet-kube-config
         - hostPath:
             path: /etc/updatedb.conf
             type: FileOrCreate

charts/fluid/fluid/templates/role/csi/rbac.yaml

@@ -44,6 +44,11 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["create", "patch"]
+  {{- if not .Values.csi.useNodeAuthorization }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "patch"]
+  {{- end }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

charts/fluid/fluid/values.yaml

@@ -58,6 +58,10 @@ csi:
     imagePrefix: *defaultImagePrefix
     imageName: fluid-csi
     imageTag: *defaultVersion
+  # Whether or not to borrow kubelet's config file to use node authorization to restrict CSI Plugin's permission
+  # See why Fluid's CSI Plugins need node-specific authorization at https://github.com/fluid-cloudnative/fluid/security/advisories/GHSA-93xx-cvmc-9w3v
+  # See node authorization at https://kubernetes.io/docs/reference/access-authn-authz/node/
+  useNodeAuthorization: true
   kubelet:
     kubeConfigFile: /etc/kubernetes/kubelet.conf
     certDir: /var/lib/kubelet/pki

pkg/csi/plugins/nodeserver.go

@@ -32,8 +32,9 @@ import (
 	"github.com/fluid-cloudnative/fluid/pkg/utils"
 	"github.com/fluid-cloudnative/fluid/pkg/utils/cmdguard"
 	"github.com/fluid-cloudnative/fluid/pkg/utils/dataset/volume"
+	"github.com/fluid-cloudnative/fluid/pkg/utils/kubeclient"
 	"github.com/pkg/errors"
-	v1 "k8s.io/api/core/v1"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -60,7 +61,7 @@ type nodeServer struct {
 	apiReader            client.Reader
 	nodeAuthorizedClient *kubernetes.Clientset
 	locks                *utils.VolumeLocks
-	node                 *v1.Node
+	node                 *corev1.Node
 }
 
 func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) {
@@ -464,7 +465,7 @@ func (ns *nodeServer) getRuntimeNamespacedName(volumeContext map[string]string,
 }
 
 // getNode first checks cached node
-func (ns *nodeServer) getNode() (node *v1.Node, err error) {
+func (ns *nodeServer) getNode() (node *corev1.Node, err error) {
 	// Default to allow patch stale node info
 	if envVar, found := os.LookupEnv(AllowPatchStaleNodeEnv); !found || envVar == "true" {
 		if ns.node != nil {
@@ -473,20 +474,23 @@ func (ns *nodeServer) getNode() (node *v1.Node, err error) {
 		}
 	}
 
-	if node, err = ns.nodeAuthorizedClient.CoreV1().Nodes().Get(context.TODO(), ns.nodeId, metav1.GetOptions{}); err != nil {
-		return nil, err
+	useNodeAuthorization := ns.nodeAuthorizedClient != nil
+	if useNodeAuthorization {
+		if node, err = ns.nodeAuthorizedClient.CoreV1().Nodes().Get(context.TODO(), ns.nodeId, metav1.GetOptions{}); err != nil {
+			return nil, err
+		}
+	} else {
+		if node, err = kubeclient.GetNode(ns.apiReader, ns.nodeId); err != nil {
+			return nil, err
+		}
 	}
 
-	// if node, err = kubeclient.GetNode(ns.apiReader, ns.nodeId); err != nil {
-	// return nil, err
-	// }
-
 	glog.V(1).Infof("Got node %s from api server", node.Name)
 	ns.node = node
 	return ns.node, nil
 }
 
-func (ns *nodeServer) patchNodeWithLabel(node *v1.Node, labelsToModify common.LabelsToModify) error {
+func (ns *nodeServer) patchNodeWithLabel(node *corev1.Node, labelsToModify common.LabelsToModify) error {
 	labels := labelsToModify.GetLabels()
 	labelValuePair := map[string]interface{}{}
 
@@ -516,10 +520,22 @@ func (ns *nodeServer) patchNodeWithLabel(node *v1.Node, labelsToModify common.La
 	if err != nil {
 		return err
 	}
-
-	_, err = ns.nodeAuthorizedClient.CoreV1().Nodes().Patch(context.TODO(), node.Name, types.StrategicMergePatchType, patchByteData, metav1.PatchOptions{})
-	if err != nil {
-		return err
+	useNodeAuthorization := ns.nodeAuthorizedClient != nil
+	if useNodeAuthorization {
+		_, err = ns.nodeAuthorizedClient.CoreV1().Nodes().Patch(context.TODO(), node.Name, types.StrategicMergePatchType, patchByteData, metav1.PatchOptions{})
+		if err != nil {
+			return err
+		}
+	} else {
+		nodeToPatch := &corev1.Node{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: node.Name,
+			},
+		}
+		err = ns.client.Patch(context.TODO(), nodeToPatch, client.RawPatch(types.StrategicMergePatchType, patchByteData))
+		if err != nil {
+			return err
+		}
 	}
 
 	return nil

pkg/csi/plugins/register.go

@@ -17,14 +17,35 @@ limitations under the License.
 package plugins
 
 import (
+	"os"
+
 	"github.com/fluid-cloudnative/fluid/pkg/csi/config"
 	"github.com/fluid-cloudnative/fluid/pkg/utils/kubelet"
+	"github.com/golang/glog"
+	"github.com/pkg/errors"
+	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 )
 
+// getNodeAuthorizedClientFromKubeletConfig retrieves a node-authorized Kubernetes client from the Kubelet configuration file.
+// This function checks if the specified Kubelet configuration file exists. If the file does not exist, it returns an empty client without an error .
+// If the file exists, it attempts to initialize and return a node-authorized Kubernetes client.
+func getNodeAuthorizedClientFromKubeletConfig(kubeletConfigPath string) (*kubernetes.Clientset, error) {
+	_, err := os.Stat(kubeletConfigPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			glog.Warningf("kubelet config file %s not exists, continue without node authorization...", kubeletConfigPath)
+			return nil, nil
+		}
+		return nil, errors.Wrapf(err, "fail to stat kubelet config file %s", kubeletConfigPath)
+	}
+
+	return kubelet.InitNodeAuthorizedClient(kubeletConfigPath)
+}
+
 // Register initializes the csi driver and registers it to the controller manager.
 func Register(mgr manager.Manager, ctx config.RunningContext) error {
-	client, err := kubelet.InitNodeAuthorizedClient(ctx.KubeletConfigPath)
+	client, err := getNodeAuthorizedClientFromKubeletConfig(ctx.KubeletConfigPath)
 	if err != nil {
 		return err
 	}