local-storage: Fix permission (k3s-io#7217)

* local-storage: Fix permission

/var/lib/rancher/k3s/storage/ should be 700
/var/lib/rancher/k3s/storage/* should be 777

Fixes k3s-io#2348

Signed-off-by: Boleyn Su <[email protected]>

* Fix pod command field type

* Fix to int test

Signed-off-by: Derek Nola <[email protected]>

---------

Signed-off-by: Boleyn Su <[email protected]>
Signed-off-by: Derek Nola <[email protected]>
Co-authored-by: Brad Davidson <[email protected]>
Co-authored-by: Derek Nola <[email protected]>

manifests/local-storage.yaml

@@ -129,7 +129,7 @@ data:
         esac
     done
     mkdir -m 0777 -p ${absolutePath}
-    chmod 701 ${absolutePath}/..
+    chmod 700 ${absolutePath}/..
   teardown: |-
     #!/bin/sh
     while getopts "m:s:p:" opt

tests/integration/localstorage/localstorage_int_test.go

@@ -26,7 +26,7 @@ var _ = BeforeSuite(func() {
 	}
 })
 
-var _ = Describe("local storage", func() {
+var _ = Describe("local storage", Ordered, func() {
 	BeforeEach(func() {
 		if testutil.IsExistingServer() && !testutil.ServerArgsPresent(localStorageServerArgs) {
 			Skip("Test needs k3s server with: " + strings.Join(localStorageServerArgs, " "))
@@ -39,9 +39,8 @@ var _ = Describe("local storage", func() {
 			}, "120s", "5s").Should(Succeed())
 		})
 		It("creates a new pvc", func() {
-			result, err := testutil.K3sCmd("kubectl create -f ./testdata/localstorage_pvc.yaml")
-			Expect(result).To(ContainSubstring("persistentvolumeclaim/local-path-pvc created"))
-			Expect(err).NotTo(HaveOccurred())
+			Expect(testutil.K3sCmd("kubectl create -f ./testdata/localstorage_pvc.yaml")).
+				To(ContainSubstring("persistentvolumeclaim/local-path-pvc created"))
 		})
 		It("creates a new pod", func() {
 			Expect(testutil.K3sCmd("kubectl create -f ./testdata/localstorage_pod.yaml")).
@@ -62,7 +61,7 @@ var _ = Describe("local storage", func() {
 			var k3sStorage = "/var/lib/rancher/k3s/storage"
 			fileStat, err := os.Stat(k3sStorage)
 			Expect(err).ToNot(HaveOccurred())
-			Expect(fmt.Sprintf("%04o", fileStat.Mode().Perm())).To(Equal("0701"))
+			Expect(fmt.Sprintf("%04o", fileStat.Mode().Perm())).To(Equal("0700"))
 
 			pvResult, err := testutil.K3sCmd("kubectl get --namespace=default pv")
 			Expect(err).ToNot(HaveOccurred())
@@ -72,6 +71,20 @@ var _ = Describe("local storage", func() {
 			fileStat, err = os.Stat(k3sStorage + "/" + volumeName)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(fmt.Sprintf("%04o", fileStat.Mode().Perm())).To(Equal("0777"))
+
+			Eventually(func() error {
+				_, err = os.Stat(k3sStorage + "/" + volumeName + "/file1")
+				return err
+			}, "10s", "1s").Should(Succeed())
+			Expect(testutil.K3sCmd("kubectl --namespace=default exec volume-test -- stat -c %a /data/file1")).
+				To(Equal("644\n"))
+
+		})
+		It("allows non-root pods to write to the volume", func() {
+			Expect(testutil.K3sCmd("kubectl --namespace=default exec volume-test -- touch /data/file2")).
+				To(BeEmpty())
+			Expect(testutil.K3sCmd("kubectl --namespace=default exec volume-test -- stat -c %a /data/file2")).
+				To(Equal("644\n"))
 		})
 		It("deletes properly", func() {
 			Expect(testutil.K3sCmd("kubectl delete --namespace=default --force pod volume-test")).

tests/integration/localstorage/testdata/localstorage_pod.yaml

@@ -6,13 +6,18 @@ metadata:
 spec:
   containers:
   - name: volume-test
-    image: nginx:stable-alpine
+    image: busybox:stable
     imagePullPolicy: IfNotPresent
+    command:
+    - sh
+    - "-c"
+    - "touch /data/file1 && sleep infinity"
     volumeMounts:
     - name: volv
       mountPath: /data
-    ports:
-    - containerPort: 80
+    securityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
   volumes:
   - name: volv
     persistentVolumeClaim: