Skip to content

Authentication with Kerberos credentials #999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 23 commits into
base: master
Choose a base branch
from
Open

Authentication with Kerberos credentials #999

wants to merge 23 commits into from
+290 −26

Conversation

@GamerGirlandCo
Copy link

@GamerGirlandCo GamerGirlandCo commented Nov 5, 2025
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:
This PR implements authentication with a kerberos principal and password when mounting NFS shares.

Which issue(s) this PR fixes:

Fixes #525

Special notes for your reviewer:

  • I changed the Dockerfile's base image to debian:stable-slim
    Justification: services cannot be started due to a missing file /lib/lsb/init-functions
  • I changed the Dockerfile's entrypoint to a script (entry.sh)
    The script is created in the Dockerfile inline, and you can review it here
    Justification: this is so we can start necessary services (rpcbind and nfs-common) if and only if we're in the controller pod. Otherwise, the nfsplugin binary is invoked with the exact same arguments the pod's nfs container was started with.

Does this PR introduce a user-facing change?:

Added the ability to authenticate with kerberos-protected NFS shares
The following new parameters may be specified when creating or updating a storage class:
- **`authPrincipal`**
  The principal that will be used to authenticate to the share
- **`authPasswordSecret`**
  The secret containing the authentication password
- **`authKrbConf`**
  The secret containing contents of a krb5.conf with information about how to connect to a realm.

@GamerGirlandCo
refactor: update Dockerfile to install krb5-user to facilitate kerb…
ab4a863 
…eros authentication
@GamerGirlandCo
refactor: add storageClass parameters for kerberos auth
16b2aa7
@GamerGirlandCo
refactor: add secrets parameter to internalMount func
dd80225 
this will allow the authentication password to be passed to `kinit`
@GamerGirlandCo
refactor: modify NodePublishVolume to invoke kinit if kerberos cr…
41ead10 
…edentials are provided
@GamerGirlandCo
refactor: update dockerfile
8a474ca 
- change base image to `debian:stable-slim`
  justification: services cannot be started due to missing file `/lib/lsb/init-functions`
- invoke a script (`entry.sh`) that then invokes `/nfsplugin` with any passed args.
  justification: this is so we can start necessary services (`rpcbind` and `nfs-common`) if and only if we're in the controller pod.
- set `entry.sh` as the entrypoint
@GamerGirlandCo
refactor(examples): add deployment example for an nfs server with ker…
ae1b082 
…beros auth
@GamerGirlandCo
refactor(charts): invoke controller pod's entrypoint with true as t…
c377d73 
…he first argument

this is to tell the script that we're running as a controller, so the necessary services can be started
@GamerGirlandCo
test: add tests for mounting shares with kerberos auth
c466707
@GamerGirlandCo
chore: update install-nfs-server makefile goal
f634818 
- apply the kerberos nfs server deployment with `kubectl`
- add a `krb-pwd` key to the `mount-options` secret, which will be used to authenticate with the share in tests
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. labels Nov 5, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 5, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: GamerGirlandCo
Once this PR has been reviewed and has the lgtm label, please assign msau42 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 5, 2025

Welcome @GamerGirlandCo!

It looks like this is your first PR to kubernetes-csi/csi-driver-nfs 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-csi/csi-driver-nfs has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Nov 5, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Nov 5, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 5, 2025

Hi @GamerGirlandCo. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Nov 5, 2025
andyzhangx
andyzhangx reviewed Nov 5, 2025
View reviewed changes
Copy link
Member

@andyzhangx andyzhangx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 5, 2025
@GamerGirlandCo
Copy link
Author

GamerGirlandCo commented Nov 5, 2025

/retest

@GamerGirlandCo
Copy link
Author

GamerGirlandCo commented Nov 5, 2025

/retest

@GamerGirlandCo
refactor: add authKrbConf mount parameter
903cfea 
allows an end user to specify a secret which contains contents of a kerberos 5 configuration file that specifies how to connect to one or more realms
@GamerGirlandCo
fix: unused variable error
250ff6d
@GamerGirlandCo
Copy link
Author

GamerGirlandCo commented Nov 5, 2025

/retest

@GamerGirlandCo
style: run gofmt
714dfa5
@GamerGirlandCo
chore: fix invalid krb5.conf
ed9596a
@GamerGirlandCo
fix: add sleep 5 to Dockerfile
afbbd54 
ensure that `nfs-common` daemons have been started properly
@GamerGirlandCo
fix: update deploy/example/nfs-provisioner/nfs-krb-server.yaml
530c840 
fix reference to secret that doesn't exist in CI environment
@GamerGirlandCo
refactor: handle error returned by os.WriteFile
c72a7fe
@GamerGirlandCo
refactor: update nodeserver.go
f9351ae 
add more detailed error logging during kerberos auth phase
@GamerGirlandCo
style: run gofmt
8c62980
@GamerGirlandCo
Copy link
Author

GamerGirlandCo commented Nov 7, 2025

/test pull-csi-driver-nfs-e2e-capz

@GamerGirlandCo
Copy link
Author

GamerGirlandCo commented Nov 10, 2025

/retest-required

@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 11, 2025
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Nov 11, 2025
@GamerGirlandCo
refactor: update nfs-krb-server.yaml
13221c1 
use ubuntu nfs-krb image instead of alpine to maybe fix timeouts
@GamerGirlandCo
update nfs-krb-server.yaml
a6e1f33 
switch back to alpine nfs-krb image, open TCP port 111
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 11, 2025

@GamerGirlandCo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-csi-driver-nfs-external-e2e a6e1f33 link true /test pull-csi-driver-nfs-external-e2e
pull-csi-driver-nfs-e2e-capz a6e1f33 link false /test pull-csi-driver-nfs-e2e-capz

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gnufied gnufied Awaiting requested review from gnufied

@sunnylovestiramisu sunnylovestiramisu Awaiting requested review from sunnylovestiramisu

@andyzhangx andyzhangx Awaiting requested review from andyzhangx

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

NFS credentials

3 participants

@GamerGirlandCo @k8s-ci-robot @andyzhangx