Bugfix for containers using custom uid

[jairov4]

Containers running with custom uid are not able to access the mounted volume due permissions error.
This fix add the permission flags at mount point level

[joschi36]

This should not be implemented, as Kubernetes already has logic for this Case built-in.

See fsGroup in SecurityContext: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

[Kukunin]

The problem is that the current 0.0.2 version of driver ignores fsGroup setting. I'm trying to build a newer version from on the PRs and will report on the success

[Kukunin]

ok, after spending hours and hours trying to figure out what's going on, I've found the fix for the official release.

I use cloudstack ISO kubernetes v1.30.3 and had the same error with non-root users. fsGroup is handled by Kubernetes itself, but for some reason, the default behavior seems to be changed in later versions. There is no permissions-related code in CSI drivers itself.

The proper fix is to set fsGroupPolicy: File for the csidriver. You can update the yaml file, making the driver look like this:

apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
  name: csi.cloudstack.apache.org
spec:
  # Supports only persistent volumes.
  volumeLifecycleModes:
    - Persistent
  fsGroupPolicy: File

Or go to the existing csidriver, and change the property. After setting it to File, permissions are automagically fixed for me. No updates, no custom builds are required, works on the 0.0.2 release.

P.S. No AI was helpful with this issue. Co-pilot failed to fix it in the code, Claude and ChatGPT guided in a wrong direction that CSI driver handles permissions. Got to do my own research.

More information:
kubernetes-sigs/aws-ebs-csi-driver#1982
kubernetes-sigs/aws-ebs-csi-driver#1377
https://kubernetes.io/blog/2020/12/14/kubernetes-release-1.20-fsgroupchangepolicy-fsgrouppolicy/