kubernetes-sigs · m-anyac · Dec 28, 2024 · jsafrane · Jan 2, 2025
diff --git a/charts/README.md b/charts/README.md
@@ -145,7 +145,7 @@ The following table lists the configurable parameters of the latest Azure File C
 | `linux.kubelet`                                   | configure kubelet directory path on Linux agent node node                  | `/var/lib/kubelet`                                                |
 | `linux.kubeconfig`                                | configure kubeconfig path on Linux agent node                | '' (empty, use InClusterConfig by default)                                            |
 | `linux.distro`                                    | configure ssl certificates for different Linux distribution(available values: `debian`, `fedora`)                  |
-| `linux.mountPermissions`                          | mounted folder permissions                 | `0777`
+| `linux.mountPermissions`                          | mounted folder permissions                 | `0775`
 | `linux.enableRegistrationProbe`                   | enable [kubelet-registration-probe](https://github.com/kubernetes-csi/node-driver-registrar#health-check-with-an-exec-probe) on Linux driver config     | `true`
 | `linux.tolerations`                               | linux node driver tolerations                            |
 | `linux.affinity`                                  | linux node pod affinity                                     | `{}`                                                             |

diff --git a/deploy/example/kata-cc/storageclass-azurefile-kata-cc.yaml b/deploy/example/kata-cc/storageclass-azurefile-kata-cc.yaml
@@ -11,8 +11,8 @@ parameters:
 reclaimPolicy: Delete
 volumeBindingMode: Immediate
 mountOptions:
-  - dir_mode=0777
-  - file_mode=0777
+  - dir_mode=0775
+  - file_mode=0775
   - mfsymlinks
   - cache=strict  # https://linux.die.net/man/8/mount.cifs
   - nosharesock  # reduce probability of reconnect race

diff --git a/deploy/example/largeFileShares/storageclass-azurefile-largefileshares.yaml b/deploy/example/largeFileShares/storageclass-azurefile-largefileshares.yaml
@@ -10,8 +10,8 @@ parameters:
 reclaimPolicy: Delete
 volumeBindingMode: Immediate
 mountOptions:
-  - dir_mode=0777
-  - file_mode=0777
+  - dir_mode=0775
+  - file_mode=0775
   - uid=0
   - gid=0
   - mfsymlinks

diff --git a/deploy/example/nginx-pod-azurefile-inline-volume.yaml b/deploy/example/nginx-pod-azurefile-inline-volume.yaml
@@ -24,4 +24,4 @@ spec:
         volumeAttributes:
           shareName: EXISTING_SHARE_NAME  # required
           secretName: azure-secret  # required
-          mountOptions: "dir_mode=0777,file_mode=0777,cache=strict,actimeo=30,nosharesock"  # optional
+          mountOptions: "dir_mode=0775,file_mode=0775,cache=strict,actimeo=30,nosharesock"  # optional
diff --git a/deploy/example/pv-azurefile-csi.yaml b/deploy/example/pv-azurefile-csi.yaml
@@ -13,8 +13,8 @@ spec:
   persistentVolumeReclaimPolicy: Retain  # if set as "Delete" file share would be removed in pvc deletion
   storageClassName: azurefile-csi
   mountOptions:
-    - dir_mode=0777
-    - file_mode=0777
+    - dir_mode=0775
+    - file_mode=0775
     - uid=0
     - gid=0
     - mfsymlinks

diff --git a/deploy/example/storageclass-azurefile-csi.yaml b/deploy/example/storageclass-azurefile-csi.yaml
@@ -10,8 +10,8 @@ parameters:
 reclaimPolicy: Delete
 volumeBindingMode: Immediate
 mountOptions:
-  - dir_mode=0777
-  - file_mode=0777
+  - dir_mode=0775
+  - file_mode=0775
   - mfsymlinks
   - cache=strict  # https://linux.die.net/man/8/mount.cifs
   - nosharesock  # reduce probability of reconnect race

diff --git a/deploy/example/storageclass-azurefile-existing-share.yaml b/deploy/example/storageclass-azurefile-existing-share.yaml
@@ -12,8 +12,8 @@ parameters:
 reclaimPolicy: Delete
 volumeBindingMode: Immediate
 mountOptions:
-  - dir_mode=0777
-  - file_mode=0777
+  - dir_mode=0775
+  - file_mode=0775
   - uid=0
   - gid=0
   - mfsymlinks

diff --git a/deploy/example/storageclass-azurefile-large-scale.yaml b/deploy/example/storageclass-azurefile-large-scale.yaml
@@ -12,8 +12,8 @@ parameters:
 reclaimPolicy: Delete
 volumeBindingMode: Immediate
 mountOptions:
-  - dir_mode=0777
-  - file_mode=0777
+  - dir_mode=0775
+  - file_mode=0775
   - uid=0
   - gid=0
   - mfsymlinks

diff --git a/deploy/example/storageclass-azurefile-secret.yaml b/deploy/example/storageclass-azurefile-secret.yaml
@@ -13,8 +13,8 @@ parameters:
   csi.storage.k8s.io/controller-expand-secret-name: azure-secret
   csi.storage.k8s.io/controller-expand-secret-namespace: default
 mountOptions:
-  - dir_mode=0777
-  - file_mode=0777
+  - dir_mode=0775
+  - file_mode=0775
   - uid=0
   - gid=0
   - mfsymlinks

diff --git a/docs/driver-parameters.md b/docs/driver-parameters.md
@@ -61,7 +61,7 @@ enableMultichannel | specify whether enable [SMB multi-channel](https://learn.mi
 --- | **Following parameters are only for NFS protocol** | --- | --- |
 allowSharedKeyAccess | Allow or disallow shared key access for storage account created by driver | `true`,`false` | No | `true`
 rootSquashType | specify root squashing behavior on the share. The default is `NoRootSquash` | `AllSquash`, `NoRootSquash`, `RootSquash` | No |
-mountPermissions | mounted folder permissions. The default is `0777`, if set as `0`, driver will not perform `chmod` after mount | `0777` | No |
+mountPermissions | mounted folder permissions. The default is `0775`, if set as `0`, driver will not perform `chmod` after mount | `0775` | No |
 --- | **Following parameters are only for vnet setting, e.g. NFS, private endpoint** | --- | --- |
 vnetResourceGroup | specify vnet resource group where virtual network is | existing resource group name | No | if empty, driver will use the `vnetResourceGroup` value in azure cloud config file
 vnetName | virtual network name | existing virtual network name | No | if empty, driver will use the `vnetName` value in azure cloud config file
@@ -108,7 +108,7 @@ nodeStageSecretRef.name | secret name that stores storage account name and key |
 nodeStageSecretRef.namespace | secret namespace | k8s namespace  |  Yes  |
 --- | **Following parameters are only for NFS protocol** | --- | --- |
 volumeAttributes.fsGroupChangePolicy | indicates how volume's ownership will be changed by the driver, pod `securityContext.fsGroupChangePolicy` is ignored  | `OnRootMismatch`(by default), `Always`, `None` | No | `OnRootMismatch`
-volumeAttributes.mountPermissions | mounted folder permissions. The default is `0777` |  | No |
+volumeAttributes.mountPermissions | mounted folder permissions. The default is `0775` |  | No |
 
  - create a Kubernetes secret for `nodeStageSecretRef.name`
  ```console

diff --git a/docs/install-csi-driver-master.md b/docs/install-csi-driver-master.md
@@ -41,5 +41,5 @@ curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-drive
 git clone https://github.com/kubernetes-sigs/azurefile-csi-driver.git
 cd azurefile-csi-driver
 git checkout master
-./deploy/install-driver.sh master local
+./deploy/uninstall-driver.sh master local
 ```
diff --git a/docs/workload-identity-static-pv-mount.md b/docs/workload-identity-static-pv-mount.md
@@ -78,8 +78,8 @@ spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: azurefile-csi
   mountOptions:
-    - dir_mode=0777
-    - file_mode=0777
+    - dir_mode=0775
+    - file_mode=0775
     - uid=0
     - gid=0
     - mfsymlinks

diff --git a/pkg/azurefile/azurefile.go b/pkg/azurefile/azurefile.go
@@ -70,8 +70,8 @@ const (
 	actimeo            = "actimeo"
 	noResvPort         = "noresvport"
 	mfsymlinks         = "mfsymlinks"
-	defaultFileMode    = "0777"
-	defaultDirMode     = "0777"
+	defaultFileMode    = "0775"
+	defaultDirMode     = "0775"
 	defaultActimeo     = "30"
 
 	// See https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-shares--directories--files--and-metadata#share-names

diff --git a/pkg/azurefile/azurefile_options.go b/pkg/azurefile/azurefile_options.go
@@ -70,7 +70,7 @@ func (o *DriverOptions) AddFlags() *flag.FlagSet {
 	fs.BoolVar(&o.EnableGetVolumeStats, "enable-get-volume-stats", true, "allow GET_VOLUME_STATS on agent node")
 	fs.BoolVar(&o.EnableKataCCMount, "enable-kata-cc-mount", false, "enable Kata Confidential Containers mount")
 	fs.BoolVar(&o.AppendMountErrorHelpLink, "append-mount-error-help-link", true, "Whether to include a link for help with mount errors when a mount error occurs.")
-	fs.Uint64Var(&o.MountPermissions, "mount-permissions", 0777, "mounted folder permissions")
+	fs.Uint64Var(&o.MountPermissions, "mount-permissions", 0775, "mounted folder permissions")
 	fs.StringVar(&o.FSGroupChangePolicy, "fsgroup-change-policy", "", "indicates how the volume's ownership will be changed by the driver, OnRootMismatch is the default value")
 	fs.Float64Var(&o.KubeAPIQPS, "kube-api-qps", 25.0, "QPS to use while communicating with the kubernetes apiserver.")
 	fs.IntVar(&o.KubeAPIBurst, "kube-api-burst", 50, "Burst to use while communicating with the kubernetes apiserver.")

diff --git a/pkg/azurefile/nodeserver.go b/pkg/azurefile/nodeserver.go
@@ -357,7 +357,7 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 		if !strings.HasSuffix(diskName, vhdSuffix) {
 			return nil, status.Errorf(codes.Internal, "diskname could not be empty, targetPath: %s", targetPath)
 		}
-		cifsMountFlags = []string{"dir_mode=0777,file_mode=0777,cache=strict,actimeo=30", "nostrictsync"}
+		cifsMountFlags = []string{"dir_mode=0775,file_mode=0775,cache=strict,actimeo=30", "nostrictsync"}
 		cifsMountPath = filepath.Join(filepath.Dir(targetPath), proxyMount)
 	}