Merge pull request #184 from mauriciopoppe/working-dir-flag

Add the --working-dir repeated flag

Author: k8s-ci-robot

README.md

@@ -50,8 +50,8 @@ On successful execution of `make build`, the output binary `csi-proxy.exe` will
 
 csi-proxy.exe can be installed and run as binary or run as a Windows service on each Windows node. See the following as an example to run CSI Proxy as a web service.
 ```
-    $flags = "-windows-service -log_file=\etc\kubernetes\logs\csi-proxy.log -logtostderr=false"
-    sc.exe create csiproxy binPath= "\etc\kubernetes\node\bin\csi-proxy.exe $flags"
+    $flags = "-windows-service -log_file=C:\etc\kubernetes\logs\csi-proxy.log -logtostderr=false"
+    sc.exe create csiproxy binPath= "C:\etc\kubernetes\node\bin\csi-proxy.exe $flags"
     sc.exe failure csiproxy reset= 0 actions= restart/10000
     sc.exe start csiproxy
 ```
@@ -62,6 +62,7 @@ If you are using kube-up to start a Windows cluster, node startup script will au
 ### Command line options
 
 * `--kubelet-path`: This is the prefix path of the kubelet path directory in the host file system (`C:\var\lib\kubelet` is used by default).
+* `--working-dir` (repeated flag): Prefix path where CSI Proxy is allowed to make privileged operations in the host file system (no value by default).
 
 ### Setup for CSI Driver Deployment
 
@@ -108,6 +109,7 @@ spec:
             - name: registration-dir
               mountPath: C:\registration
         - name: csi-driver
+          # placeholder, use your CSI driver
           image: org/csi-driver:win-v1
           args:
             - "--v=5"

cmd/csi-proxy/main.go

@@ -22,17 +22,33 @@ import (
 	"k8s.io/klog/v2"
 )
 
+type workingDirFlags []string
+
+func (i *workingDirFlags) String() string {
+	return "Not implemented"
+}
+
+func (i *workingDirFlags) Set(value string) error {
+	*i = append(*i, value)
+	return nil
+}
+
 var (
 	kubeletPath = flag.String("kubelet-path", `C:\var\lib\kubelet`, "Prefix path of the kubelet directory in the host file system")
 	windowsSvc  = flag.Bool("windows-service", false, "Configure as a Windows Service")
 	service     *handler
+	workingDirs workingDirFlags
 )
 
 type handler struct {
 	tosvc   chan bool
 	fromsvc chan error
 }
 
+func init() {
+	flag.Var(&workingDirs, "working-dir", "Prefix path of the csi-proxy working directory in the host file system")
+}
+
 func main() {
 	defer klog.Flush()
 	klog.InitFlags(nil)
@@ -60,7 +76,7 @@ func main() {
 
 // apiGroups returns the list of enabled API groups.
 func apiGroups() ([]srvtypes.APIGroup, error) {
-	fssrv, err := filesystemsrv.NewServer(*kubeletPath, filesystemapi.New())
+	fssrv, err := filesystemsrv.NewServer(*kubeletPath, workingDirs, filesystemapi.New())
 	if err != nil {
 		return []srvtypes.APIGroup{}, err
 	}

pkg/server/filesystem/server.go

@@ -15,6 +15,7 @@ import (
 
 type Server struct {
 	kubeletPath string
+	workingDirs []string
 	hostAPI     filesystem.API
 }
 
@@ -24,9 +25,10 @@ var _ internal.ServerInterface = &Server{}
 var invalidPathCharsRegexWindows = regexp.MustCompile(`["/\:\?\*|]`)
 var absPathRegexWindows = regexp.MustCompile(`^[a-zA-Z]:\\`)
 
-func NewServer(kubeletPath string, hostAPI filesystem.API) (*Server, error) {
+func NewServer(kubeletPath string, workingDirs []string, hostAPI filesystem.API) (*Server, error) {
 	return &Server{
 		kubeletPath: kubeletPath,
+		workingDirs: workingDirs,
 		hostAPI:     hostAPI,
 	}, nil
 }
@@ -69,8 +71,6 @@ func (s *Server) ValidatePluginPath(path string) error {
 }
 
 func (s *Server) validatePathWindows(path string) error {
-	prefix := s.kubeletPath
-
 	pathlen := len(path)
 
 	if pathlen > utils.MaxPathLengthWindows {
@@ -93,8 +93,18 @@ func (s *Server) validatePathWindows(path string) error {
 		return fmt.Errorf("not an absolute Windows path: %s", path)
 	}
 
-	if !strings.HasPrefix(strings.ToLower(path), strings.ToLower(prefix)) {
-		return fmt.Errorf("path: %s is not within context path: %s", path, prefix)
+	valid := false
+	if strings.HasPrefix(strings.ToLower(path), strings.ToLower(s.kubeletPath)) {
+		valid = true
+	}
+	for _, workingDir := range s.workingDirs {
+		if strings.HasPrefix(strings.ToLower(path), strings.ToLower(workingDir)) {
+			valid = true
+		}
+	}
+
+	if !valid {
+		return fmt.Errorf("path: %s is not within context path: %s or %v", path, s.kubeletPath, s.workingDirs)
 	}
 
 	return nil

pkg/server/filesystem/server_test.go

@@ -117,7 +117,7 @@ func TestMkdirWindows(t *testing.T) {
 			expectError: true,
 		},
 	}
-	srv, err := NewServer(`C:\var\lib\kubelet`, &fakeFileSystemAPI{})
+	srv, err := NewServer(`C:\var\lib\kubelet`, []string{}, &fakeFileSystemAPI{})
 	if err != nil {
 		t.Fatalf("FileSystem Server could not be initialized for testing: %v", err)
 	}
@@ -221,7 +221,7 @@ func TestRmdirWindows(t *testing.T) {
 			expectError: true,
 		},
 	}
-	srv, err := NewServer(`C:\var\lib\kubelet`, &fakeFileSystemAPI{})
+	srv, err := NewServer(`C:\var\lib\kubelet`, []string{}, &fakeFileSystemAPI{})
 	if err != nil {
 		t.Fatalf("FileSystem Server could not be initialized for testing: %v", err)
 	}

pkg/server/smb/server_test.go

@@ -83,7 +83,7 @@ func TestNewSmbGlobalMapping(t *testing.T) {
 			expectError: false,
 		},
 	}
-	fsSrv, err := fsserver.NewServer(`C:\var\lib\kubelet`, &fakeFileSystemAPI{})
+	fsSrv, err := fsserver.NewServer(`C:\var\lib\kubelet`, []string{}, &fakeFileSystemAPI{})
 	if err != nil {
 		t.Fatalf("FileSystem Server could not be initialized for testing: %v", err)
 	}