Read configmap from volume mount

Avoid RBAC permission to configmap and save some APIServer call.
The permission to get ack-cluster-profile is moved to a separate role, not assuming we are installed in kube-system.

Author: huww98

deploy/chart/templates/rbac.yaml

@@ -1,3 +1,15 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: kube-system
+  name: alibabacloud-csi-kube-system
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["ack-cluster-profile"]
+  verbs: ["get"]
+
 {{- if .Values.controller.enabled -}}
 # csi-provisioner
 ---
@@ -101,10 +113,6 @@ rules:
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["get", "watch", "list", "delete", "update", "create"]
-- apiGroups: [""]
-  resources: ["configmaps"]
-  resourceNames: ["csi-plugin", "ack-cluster-profile"]
-  verbs: ["get"]
 {{- if .Values.csi.oss.enabled }}
 # TODO: remove this in the future
 # Need this for oss driver compatibility.
@@ -136,6 +144,20 @@ roleRef:
   kind: Role
   name: alicloud-csi-provisioner
   apiGroup: rbac.authorization.k8s.io
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: alibabacloud-csi-provisioner-kube-system
+  namespace: kube-system
+subjects:
+  - kind: ServiceAccount
+    name: alicloud-csi-provisioner
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: alibabacloud-csi-kube-system
+  apiGroup: rbac.authorization.k8s.io
 
 {{- if .Values.csi.oss.enabled }}
 ---
@@ -175,10 +197,6 @@ rules:
   resources: ["endpoints"]
   resourceNames: ["cnfs-cache-ds-service"]
   verbs: ["get"]
-- apiGroups: [""]
-  resources: ["configmaps"]
-  resourceNames: ["csi-plugin", "ack-cluster-profile"]
-  verbs: ["get"]
 - apiGroups: [""]
   resources: ["services"]
   resourceNames: ["storage-monitor-service"]
@@ -249,6 +267,20 @@ subjects:
   name: alicloud-csi-node
   namespace: {{ .Release.Namespace }}
 ---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: alibabacloud-csi-node-kube-system
+  namespace: kube-system
+subjects:
+  - kind: ServiceAccount
+    name: alicloud-csi-node
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: alibabacloud-csi-kube-system
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

pkg/disk/disk.go

@@ -34,7 +34,6 @@ import (
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/options"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/version"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/clock"
@@ -142,8 +141,6 @@ func (disk *DISK) Run() {
 
 // GlobalConfigSet set Global Config
 func GlobalConfigSet(m metadata.MetadataProvider) utils.Config {
-	configMapName := "csi-plugin"
-
 	// Global Configs Set
 	cfg, err := options.GetRestConfig()
 	if err != nil {
@@ -160,13 +157,7 @@ func GlobalConfigSet(m metadata.MetadataProvider) utils.Config {
 		klog.Fatalf("Error building kubernetes clientset: %s", err.Error())
 	}
 
-	csiCfg := utils.Config{}
-	configMap, err := kubeClient.CoreV1().ConfigMaps("kube-system").Get(context.Background(), configMapName, metav1.GetOptions{})
-	if err != nil {
-		klog.Infof("Not found configmap named as csi-plugin under kube-system, with: %v", err)
-	} else {
-		csiCfg.ConfigMap = configMap.Data
-	}
+	csiCfg := utils.DefaultConfig()
 
 	// Env variables
 	avmfe := os.Getenv("ADDON_VM_FATAL_EVENTS")

pkg/mounter/fuse_pod_manager.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -98,13 +99,13 @@ type FuseContainerConfig struct {
 	Extra       map[string]string
 }
 
-func extractFuseContainerConfig(configmap *corev1.ConfigMap, name string) (config FuseContainerConfig) {
+func extractFuseContainerConfig(configmap *utils.Config, name string) (config FuseContainerConfig) {
 	if configmap == nil {
 		return
 	}
 	config.Resources.Requests = make(corev1.ResourceList)
 	config.Resources.Limits = make(corev1.ResourceList)
-	content := configmap.Data["fuse-"+name]
+	content := configmap.Get("fuse-"+name, "", "")
 	for _, line := range strings.Split(content, "\n") {
 		line = strings.TrimSpace(line)
 		if line == "" {

pkg/mounter/fuse_pod_manager_test.go

@@ -1,30 +1,31 @@
 package mounter
 
 import (
+	"os"
 	"testing"
 
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 )
 
 func Test_extractFuseContainerConfig(t *testing.T) {
-	configmap := &corev1.ConfigMap{
-		Data: map[string]string{
-			"fuse-ossfs": `
-				image=ossfs:latest
-				cpu-request=100m
-				cpu-limit=1
-				memory-request=500Mi
-				memory-limit=2Gi
-				dbglevel=info
-				mime-support=false
-				annotations={"anno1": "val1", "anno2": "val2"}
-				labels={"label1": "val1", "label2": "val2"}
-			`,
-		},
-	}
-	config := extractFuseContainerConfig(configmap, "ossfs")
+	dir := t.TempDir()
+	assert.NoError(t, os.WriteFile(dir+"/fuse-ossfs", []byte(`
+image=ossfs:latest
+cpu-request=100m
+cpu-limit=1
+memory-request=500Mi
+memory-limit=2Gi
+dbglevel=info
+mime-support=false
+annotations={"anno1": "val1", "anno2": "val2"}
+labels={"label1": "val1", "label2": "val2"}
+`), 0644))
+
+	configmap := utils.Config{Path: dir}
+	config := extractFuseContainerConfig(&configmap, "ossfs")
 	expected := FuseContainerConfig{
 		Resources: corev1.ResourceRequirements{
 			Limits: corev1.ResourceList{

pkg/mounter/ossfs.go

@@ -62,7 +62,7 @@ var ossfsDbglevels = map[string]string{
 
 const defaultDbglevel = DebugLevelError
 
-func NewFuseOssfs(configmap *corev1.ConfigMap, m metadata.MetadataProvider) FuseMounterType {
+func NewFuseOssfs(configmap *utils.Config, m metadata.MetadataProvider) FuseMounterType {
 	config := extractFuseContainerConfig(configmap, "ossfs")
 	// set default image
 	if config.Image == "" {

pkg/nas/internal/config.go

@@ -4,26 +4,20 @@ import (
 	"context"
 	"errors"
 	"os"
-	"strconv"
 
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/cloud/metadata"
 	cnfsv1beta1 "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/cnfs/v1beta1"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/nas/cloud"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/nas/interfaces"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/options"
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils"
 	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/klog/v2"
 )
 
-const (
-	configMapName      = "csi-plugin"
-	configMapNamespace = "kube-system"
-)
-
 type ControllerConfig struct {
 	// cluster info
 	Region    string
@@ -50,26 +44,19 @@ func mustGetKubeClients() (kubernetes.Interface, cnfsv1beta1.CNFSGetter) {
 
 func GetControllerConfig(meta *metadata.Metadata) (*ControllerConfig, error) {
 	kubeClient, cnfsGetter := mustGetKubeClients()
+	cm := utils.DefaultConfig()
+
 	config := &ControllerConfig{
 		Region:           metadata.MustGet(meta, metadata.RegionID),
 		ClusterID:        os.Getenv("CLUSTER_ID"),
 		KubeClient:       kubeClient,
 		CNFSGetter:       cnfsGetter,
 		NasClientFactory: cloud.NewNasClientFactory(),
-	}
 
-	cm, err := kubeClient.CoreV1().ConfigMaps(configMapNamespace).Get(context.Background(), configMapName, metav1.GetOptions{})
-	if err != nil {
-		if !apierrors.IsNotFound(err) {
-			return nil, err
-		}
-	} else {
-		config.SkipSubpathCreation, _ = parseBool(cm.Data["nas-fake-provision"])
+		SkipSubpathCreation:    cm.GetBool("nas-fake-provision", "NAS_FAKE_PROVISION", false),
+		EnableSubpathFinalizer: cm.GetBool("nas-subpath-finalizer", "ENABLE_NAS_SUBPATH_FINALIZER", true),
+		EnableRecycleBinCheck:  cm.GetBool("nas-recyclebin-check", "ENABLE_NAS_RECYCLEBIN_CHECK", false),
 	}
-
-	config.EnableSubpathFinalizer, _ = parseBool(os.Getenv("ENABLE_NAS_SUBPATH_FINALIZER"))
-	config.EnableRecycleBinCheck, _ = parseBool(os.Getenv("ENABLE_NAS_RECYCLEBIN_CHECK"))
-
 	return config, nil
 }
 
@@ -92,33 +79,19 @@ type NodeConfig struct {
 
 func GetNodeConfig() (*NodeConfig, error) {
 	kubeClient, cnfsGetter := mustGetKubeClients()
-	config := &NodeConfig{
-		// enable nfs port check by default
-		EnablePortCheck: true,
-		KubeClient:      kubeClient,
-		CNFSGetter:      cnfsGetter,
-	}
+	cm := utils.DefaultConfig()
 
-	// check if enable nfs port check
-	if value := os.Getenv("NAS_PORT_CHECK"); value != "" {
-		config.EnablePortCheck, _ = parseBool(value)
+	config := &NodeConfig{
+		KubeClient: kubeClient,
+		CNFSGetter: cnfsGetter,
+
+		EnablePortCheck:   cm.GetBool("nas-port-check", "NAS_PORT_CHECK", true),
+		EnableVolumeStats: cm.GetBool("nas-metric-enable", "NAS_METRIC_BY_PLUGIN", false),
+		EnableEFCCache: cm.Get("cnfs-cache-properties", "", "") != "" ||
+			cm.Get("nas-efc-cache", "", "") != "",
+		EnableLosetup: cm.GetBool("nas-losetup-enable", "NAS_LOSETUP_ENABLE", false),
 	}
 
-	// get csi-plugin configmap
-	cm, err := kubeClient.CoreV1().ConfigMaps(configMapNamespace).Get(context.Background(), configMapName, metav1.GetOptions{})
-	if err != nil {
-		if !apierrors.IsNotFound(err) {
-			return nil, err
-		}
-	} else {
-		if value := cm.Data["nas-metric-enable"]; value != "" {
-			config.EnableVolumeStats, _ = parseBool(value)
-		}
-		config.EnableEFCCache = cm.Data["cnfs-cache-properties"] != "" || cm.Data["nas-efc-cache"] != ""
-	}
-	if value := os.Getenv("NAS_METRIC_BY_PLUGIN"); value != "" {
-		config.EnableVolumeStats, _ = parseBool(value)
-	}
 	if config.EnableVolumeStats {
 		klog.Info("enabled nas volume stats")
 	}
@@ -132,9 +105,6 @@ func GetNodeConfig() (*NodeConfig, error) {
 	config.NodeName = nodeName
 
 	// check if losetup enabled
-	if value := os.Getenv("NAS_LOSETUP_ENABLE"); value != "" {
-		config.EnableLosetup, _ = parseBool(value)
-	}
 	if config.EnableLosetup {
 		klog.Info("enabled nas losetup mode")
 		for _, addr := range node.Status.Addresses {
@@ -150,13 +120,3 @@ func GetNodeConfig() (*NodeConfig, error) {
 
 	return config, nil
 }
-
-func parseBool(str string) (bool, error) {
-	switch str {
-	case "enable", "enabled", "yes":
-		return true, nil
-	case "no", "":
-		return false, nil
-	}
-	return strconv.ParseBool(str)
-}