support uid/gid

Signed-off-by: stoneshi-yunify <[email protected]>

README.md

@@ -29,6 +29,16 @@ Create pod with pvc volumes to test.
 
 Take [this](config/samples/mongo-test.yaml) for example.
 
+# Environment Variables
+The following environment variables will be present in the injected init container.
+
+| Environment Variable | Explanation                                                                                                                                          | Present When           | Example Values    |
+|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|-------------------|
+| PVC_1_MOUNT_PATH     | pvc volume's mount path in the init container                                                                                                        | Always                 | `/data`           |
+| PVC_1_UID            | value from pod's annotation `volume.storage.kubesphere.io/uid` or `${volume-name}.volume.storage.kubesphere.io/uid`, can be used to chown the volume | When annotation exists | `mongodb`, `1001` |
+| PVC_1_GID            | value from pod's annotation `volume.storage.kubesphere.io/gid` or `${volume-name}.volume.storage.kubesphere.io/gid`, can be used to chown the volume | When annotation exists | `0`, `mongodb`    |
+
+
 # Limitations
 - If the pvc matches multiple pvcMatchers and init containers, only the first init container will be injected.
 

config/samples/mongo-test.yaml

@@ -2,6 +2,10 @@ kind: StatefulSet
 apiVersion: apps/v1
 metadata:
   name: mongodb-test
+  annotations:
+    volume.storage.kubesphere.io/uid: "0"
+    volume.storage.kubesphere.io/gid: "0"
+    ttt.volume.storage.kubesphere.io/uid: mongodb
   labels:
     app: mongodb-test
 spec:

config/samples/storage.kubesphere.io_v1alpha1_initializer.yaml

@@ -29,7 +29,7 @@ spec:
     command:
       - sh
       - '-c'
-      - chown -R 1001:0 $PVC_1_MOUNT_PATH
+      - chown -R ${PVC_1_UID}:${PVC_1_GID} $PVC_1_MOUNT_PATH
     resources:
       limits:
         cpu: 500m

pkg/webhook/pod.go

@@ -113,6 +113,8 @@ func (a *Admitter) Admit(ar admissionv1.AdmissionReview) *admissionv1.AdmissionR
 
 const (
 	EnvVarPVC1MountPath = "PVC_1_MOUNT_PATH"
+	EnvVarPVC1UID       = "PVC_1_UID"
+	EnvVarPVC1GID       = "PVC_1_GID"
 )
 
 func (a *Admitter) Decide(ctx context.Context, reqInfo *ReqInfo) *admissionv1.AdmissionResponse {
@@ -180,6 +182,23 @@ func (a *Admitter) Decide(ctx context.Context, reqInfo *ReqInfo) *admissionv1.Ad
 				Value: mountPath,
 			}
 			container.Env = append(container.Env, envVarMountPath)
+
+			uid, gid := a.getVolumeUIDGIDFromPodAnnotations(volume.Name, reqInfo.Pod)
+			if uid != "" {
+				envVarUID := corev1.EnvVar{
+					Name:  EnvVarPVC1UID,
+					Value: uid,
+				}
+				container.Env = append(container.Env, envVarUID)
+			}
+			if gid != "" {
+				envVarGID := corev1.EnvVar{
+					Name:  EnvVarPVC1GID,
+					Value: gid,
+				}
+				container.Env = append(container.Env, envVarGID)
+			}
+
 			initContainersToAdd = append(initContainersToAdd, container)
 		}
 	}
@@ -200,8 +219,34 @@ const (
 	podsInitContainerPatch string = `[
 		 {"op":"add","path":"/spec/initContainers","value":%s}
 	]`
+	AnnoVolumeUID         = "volume.storage.kubesphere.io/uid"
+	AnnoVolumeGID         = "volume.storage.kubesphere.io/gid"
+	AnnoSpecificVolumeUID = "%s.volume.storage.kubesphere.io/uid"
+	AnnoSpecificVolumeGID = "%s.volume.storage.kubesphere.io/gid"
 )
 
+func (a *Admitter) getVolumeUIDGIDFromPodAnnotations(volumeName string, pod *corev1.Pod) (uid, gid string) {
+	for k, v := range pod.Annotations {
+		switch k {
+		case AnnoVolumeUID:
+			uid = v
+		case AnnoVolumeGID:
+			gid = v
+		}
+	}
+	for k, v := range pod.Annotations {
+		annoUID := fmt.Sprintf(AnnoSpecificVolumeUID, volumeName)
+		annoGID := fmt.Sprintf(AnnoSpecificVolumeGID, volumeName)
+		switch k {
+		case annoUID:
+			uid = v
+		case annoGID:
+			gid = v
+		}
+	}
+	return
+}
+
 func initContainersToPatch(initContainers []*corev1.Container) ([]byte, error) {
 	containersBytes, err := json.Marshal(initContainers)
 	if err != nil {