Ephemeral volume lifecycle mode is enabled by default
dobsonj opened this issue · 3 comments
What happened:
The Ephemeral volume lifecycle mode is enabled by default in csi-nfs-driverinfo.yaml, which could surprise some admins that deploying this CSI driver allows mounting of any NFS share by users who are only allowed to create pods.
What you expected to happen:
See the Security Considerations section for ephemeral volumes in the CSI docs and in KEP-596. The recommendation is:
"CSI inline volumes are only intended to be used for ephemeral storage, and driver vendors should NOT allow usage of inline volumes for persistent storage unless they also provide a third party pod admission plugin to restrict usage of these volumes."
i.e. the Ephemeral volume lifecycle mode should either be disabled by default, or a pod admission plugin should be provided with appropriate documentation.
How to reproduce it:
Anything else we need to know?:
Environment:
- CSI Driver version: v4.1.0
- Kubernetes version (use
kubectl version): v1.25.0-alpha - OS (e.g. from /etc/os-release):
- Kernel (e.g.
uname -a): - Install tools:
- Others:
so do you mean we should disable it by default?
pls use helm chart install this driver, in helm chart, it's disabled by default:
so do you mean we should disable it by default?
Disabling by default is probably the simplest solution, yes. An admin who understands the risks can still explicitly enable it if it's important for their use-case, but I don't think it's a good idea to have it enabled by default because it gives any user who can deploy pods the ability to mount any accessible NFS share. When ephemeral volumes are disabled, this ability would be restricted to the admin via StorageClass parameters.
pls use helm chart install this driver, in helm chart, it's disabled by default:
Ok, but following the kubectl instructions linked from the README still results in the Ephemeral mode being enabled. Can we disable it by default for both sets of instructions?