Volumes created with nfs-client-provisioner have 777 permissions by default

[Cris-GarGon]

Environmental Info:
K3s Version:
v1.31.4+k3s1

Node(s) CPU architecture, OS, and Version:
Red Hat Enterprise Linux release 8.10 (Ootpa)

Cluster Configuration:
1 master, 4 workers

Describe the bug:
Creating a PVC using a StorageClass managed by the nfs-client-provisioner, the resulting volumes are created with 777 permissions. This can be a security issue, as it allows full access to any user.

Steps To Reproduce:

1. Create a StorageClass that uses the nfs-client-provisioner.
2. Create a PVC that uses the StorageClass created in step 1.
3. Verify the permissions of the created volume.

Expected behavior:
The permissions of the created volume should be more restrictive and not 777.

Actual behavior:
The created volume has 777 permissions, allowing full access to any system user.

Additional context / logs:
Example command to verify permissions:
sudo find / -perm -007 \( -type f -o -type d \) -ls

Example output:
7995808 4 drwxrwxrwx 2 root root 4096 Jun 14 2024 /opt/mnt/shared/k3s/postgres-pvc-dd6ae9b7-13bb-47ca-a116-04233b1a7e5c

[penguineer]

#373 would fix this.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

Details

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[penguineer]

Closed as "not planned" when there is PR #373 that would solve the issue. Does that mean that the PR will also not be merged?