Merge pull request #383 from l-technicore/oke-oss-release-v1.22.0

Oke oss release v1.22.0

Author: mrunalpagnis

.github/workflows/makefile.yml

@@ -12,7 +12,7 @@ jobs:
       - name: Set up Go 1.x
         uses: actions/setup-go@v2
         with:
-          go-version: 1.15
+          go-version: 1.16
         id: go
 
       - name: Check out code into the Go module directory

Dockerfile

@@ -14,7 +14,7 @@
 
 ARG CI_IMAGE_REGISTRY
 
-FROM ${CI_IMAGE_REGISTRY}/oci-kube-ci:1.0.5
+FROM ${CI_IMAGE_REGISTRY}/oci-kube-ci:1.0.6
 
 ARG COMPONENT
 

Dockerfile_arm_all

@@ -1,6 +1,6 @@
 ARG CI_IMAGE_REGISTRY
 
-FROM ${CI_IMAGE_REGISTRY}/oci-kube-ci:1.0.5 as builder
+FROM ${CI_IMAGE_REGISTRY}/oci-kube-ci:1.0.6 as builder
 
 ARG COMPONENT
 

Makefile

@@ -38,7 +38,7 @@ else
     VERSION   ?= ${VERSION}
 endif
 
-RELEASE = v1.19.12
+RELEASE = v1.22.0
 
 GOOS ?= linux
 ARCH ?= amd64
@@ -182,6 +182,17 @@ version:
 .PHONY: build-local
 build-local: build
 
+.PHONY: test-local
+test-local: build-dirs
+	@docker run --rm \
+		   --privileged \
+			 -w $(DOCKER_REPO_ROOT) \
+			 -v $(PWD):$(DOCKER_REPO_ROOT) \
+			 -e COMPONENT="$(COMPONENT)" \
+			 -e GOPATH=/go/ \
+			odo-docker-signed-local.artifactory.oci.oraclecorp.com/odx-oke/oke/k8-manager-base:go1.16.1-1.0.9 \
+			make coverage image
+
 .PHONY: run-ccm-e2e-tests-local
 run-ccm-e2e-tests-local:
 	./hack/run_e2e_test.sh

README.md

@@ -22,12 +22,14 @@ cloud-provider specific code out of the Kubernetes codebase.
 
 ## Compatibility matrix
 
-|           | Min Kubernetes Version      | Max Kubernetes Version       |
-|-----------|-----------------------------|------------------------------|
-| \>=v 0.11 | v1.16                       | v1.18                        |
-| \>=v 0.12 | v1.18                       | v1.21                        |
-| \>=v 0.13 | v1.19                       | v1.21                        |
-| v1.19.12  | v1.19                       | v1.21                        |
+|           | Min Kubernetes Version | Max Kubernetes Version |
+|-----------|------------------------|------------------------|
+| \>=v 0.11 | v1.16                  | v1.18                  |
+| \>=v 0.12 | v1.18                  | v1.21                  |
+| \>=v 0.13 | v1.19                  | v1.21                  |
+| v1.19.12  | v1.19                  | v1.21                  |
+| v1.22.0   | v1.22                  | -                      |
+
 
 Note: 
 Versions older than v0.13.0 are no longer supported, new features / bug fixes will be available in v0.13.0 and later. 

VERSION

@@ -1 +1 @@
-1.19
+1.22

ci-docker-images/Dockerfile

@@ -32,18 +32,18 @@ RUN wget https://bootstrap.pypa.io/pip/3.6/get-pip.py
 RUN python3 get-pip.py
 
 # Install golang environment
-RUN curl https://storage.googleapis.com/golang/go1.15.12.linux-amd64.tar.gz -O && \
+RUN curl https://storage.googleapis.com/golang/go1.16.15.linux-amd64.tar.gz -O && \
     mkdir /tools && \
-    tar xzf go1.15.12.linux-amd64.tar.gz -C /tools && \
-    rm go1.15.12.linux-amd64.tar.gz && \
+    tar xzf go1.16.15.linux-amd64.tar.gz -C /tools && \
+    rm go1.16.15.linux-amd64.tar.gz && \
     mkdir -p /go/bin
 
 ENV PATH=/tools/go/bin:/go/bin:/tools/linux-amd64:$PATH \
     GOPATH=/go \
     GOROOT=/tools/go
 
 # Install the kubectl client
-RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.19.0/bin/linux/amd64/kubectl && \
+RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.22.5/bin/linux/amd64/kubectl && \
     chmod +x ./kubectl && \
     mv ./kubectl /usr/local/bin/kubectl
 

cmd/oci-cloud-controller-manager/main.go

@@ -25,11 +25,16 @@ import (
 	"github.com/oracle/oci-cloud-controller-manager/pkg/logging"
 	"github.com/spf13/pflag"
 	"go.uber.org/zap"
+	"k8s.io/apimachinery/pkg/util/wait"
+	cloudprovider "k8s.io/cloud-provider"
+	"k8s.io/cloud-provider/app"
+	"k8s.io/cloud-provider/app/config"
+	"k8s.io/cloud-provider/options"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/component-base/logs"
 	_ "k8s.io/component-base/metrics/prometheus/restclient" // for client metric registration
 	_ "k8s.io/component-base/metrics/prometheus/version"    // for version metric registration
-	"k8s.io/kubernetes/cmd/cloud-controller-manager/app"
+	"k8s.io/klog/v2"
 )
 
 var version string
@@ -42,7 +47,13 @@ func main() {
 	defer logger.Sync()
 	zap.ReplaceGlobals(logger)
 
-	command := app.NewCloudControllerManagerCommand()
+	s, err := options.NewCloudControllerManagerOptions()
+	if err != nil {
+		logger.With(zap.Error(err)).Fatal("unable to initialize command options")
+	}
+
+	fss := cliflag.NamedFlagSets{}
+	command := app.NewCloudControllerManagerCommand(s, cloudInitializer, app.DefaultInitFuncConstructors, fss, wait.NeverStop)
 
 	// TODO: once we switch everything over to Cobra commands, we can go back to calling
 	// utilflag.InitFlags() (by removing its pflag.Parse() call). For now, we have to set the
@@ -61,3 +72,25 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+func cloudInitializer(config *config.CompletedConfig) cloudprovider.Interface {
+	cloudConfig := config.ComponentConfig.KubeCloudShared.CloudProvider
+	// initialize cloud provider with the cloud provider name and config file provided
+	cloud, err := cloudprovider.InitCloudProvider(cloudConfig.Name, cloudConfig.CloudConfigFile)
+	if err != nil {
+		klog.Fatalf("Cloud provider could not be initialized: %v", err)
+	}
+	if cloud == nil {
+		klog.Fatalf("Cloud provider is nil")
+	}
+
+	if !cloud.HasClusterID() {
+		if config.ComponentConfig.KubeCloudShared.AllowUntaggedCloud {
+			klog.Warning("detected a cluster without a ClusterID.  A ClusterID will be required in the future.  Please tag your cluster to avoid any future issues")
+		} else {
+			klog.Fatalf("no ClusterID found.  A ClusterID is required for the cloud provider to function properly.  This check can be bypassed by setting the allow-untagged-cloud option")
+		}
+	}
+
+	return cloud
+}

cmd/oci-csi-node-driver/nodedriveroptions/nodecsioptions.go

@@ -27,12 +27,12 @@ type NodeCSIOptions struct {
 }
 
 type NodeOptions struct {
-	Name					string
-	Endpoint				string
-	NodeID					string
-	Kubeconfig				string
-	Master					string
-	DriverName				string
-	DriverVersion			string
-	EnableControllerServer	bool
+	Name                   string
+	Endpoint               string
+	NodeID                 string
+	Kubeconfig             string
+	Master                 string
+	DriverName             string
+	DriverVersion          string
+	EnableControllerServer bool
 }

container-storage-interface.md

@@ -117,9 +117,65 @@ Check if PVC is now in bound state:
 $ kubectl describe pvc/oci-bv-claim
 ```
 
+# Troubleshoot
+
+### FsGroup policy not propagated from pod security context
+
+If your fsGroup is not being applied on the files in your volume.
+
+Read more about [fsGroup Policy][7].
+
+Ex. 
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: security-context-demo
+spec:
+  securityContext:
+    fsGroup: 2000
+  containers:
+  - name: sec-ctx-demo
+    image: busybox:1.28
+    command: [ "sh", "-c", "sleep 1h" ]
+    volumeMounts:
+    - name: sec-ctx-vol
+      mountPath: /data/demo
+```
+
+```bash
+kubectl exec -it security-context-demo -- sh -c "cd /data/demo && echo hello > testfile"
+kubectl exec -it security-context-demo -- sh -c "ls -l /data/demo/testfile"
+```
+
+The output you would expect is that the `/data/demo/testfile` file has group ID 2000, which is the value of fsGroup
+```bash
+-rw-r--r-- 1 root 2000 6 Jun  6 20:08 testfile
+```
+
+But the same does not reflect on your volume, i.e. the permissions on your files/folders are not what you would expect.
+Ex:
+```bash
+-rw-r--r-- 1 root root 6 Jun  6 20:08 testfile
+```
+
+### Solution:
+Create a CSI Driver object with spec: `fsGroupPolicy: File`.
+Ex:
+```yaml
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+name: blockvolume.csi.oraclecloud.com
+spec:
+  fsGroupPolicy: File
+```
+`File` - Indicates that the CSI volume driver supports volume ownership and permission change via fsGroup, and Kubernetes may use fsGroup to change permissions and ownership of the volume to match user requested fsGroup in the pod's SecurityPolicy regardless of fstype or access mode.
+
 [1]: https://docs.us-phoenix-1.oraclecloud.com/Content/Block/Concepts/overview.htm
 [2]: https://kubernetes.io/blog/2019/01/15/container-storage-interface-ga/
 [3]: https://kubernetes.io/docs/admin/authorization/rbac/
 [4]: https://kubernetes-csi.github.io/docs/external-provisioner.html
 [5]: https://kubernetes-csi.github.io/docs/external-attacher.html
 [6]: https://kubernetes-csi.github.io/docs/node-driver-registrar.html
+[7]: https://kubernetes-csi.github.io/docs/support-fsgroup.html#csi-volume-fsgroup-policy