Allow specify new folder permission.

[leptonyu]

Description:

Current design hardcode folder permission as 0o777.

nfs-subdir-external-provisioner/cmd/nfs-subdir-external-provisioner/provisioner.go

Line 115 in 59a3ca2

if err := os.MkdirAll(fullPath, 0o777); err != nil {

Request:

1. Make default permission as 0o770.
2. Provider a parameter to override default permission.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[niranjandarshann]

@leptonyu Thank you for raising this issue. The issue have less description. Which is not easy to understand in one go,
Try to give proper reference of this issue. In which file you encounter it.

[niranjandarshann]

From my investigation i come to know that you may be talking about nfs-subdir-external-provisioner/cmd/nfs-subdir-external-provisioner having provisioner.go file .

[leptonyu]

Yes, this one. Line 115

nfs-subdir-external-provisioner/cmd/nfs-subdir-external-provisioner/provisioner.go

Line 115 in 59a3ca2

if err := os.MkdirAll(fullPath, 0o777); err != nil {

[niranjandarshann]

I think, Hardcoding 0o777 is a security risk. Instead we can use 0770 for better security.

[leptonyu]

I would recommend to set default as 0o770 and allow customization in parameters.

[niranjandarshann]

@leptonyu Can you update the the description and what is your expectation in the issue description. So that it will be easy to the contributor to contribute.

[leptonyu]

Done

[Poldovico]

How would this interact with the fact volumes do not respect fsGroup and cannot have their owners changed by an InitContainer?
Wouldn't having the permissions set any other way than 777 make it impossible to use mounted volumes with containers that don't run as root?

[leptonyu]

Customizing Settings could be configured as 777 to keep as-is, or design matched user/group to run Pod.

[LSuDavidd]

I am not involved in this discussion but what i think is giving permission 0o777 will not be good the issue is correct instead if we permit it to the 0o770 atleast we are targeting to the most. And Here customizing will be good as if you want to give full permission then you can.