Giters

kubernetes-csi / csi-driver-smb

This driver allows Kubernetes to access SMB Server on both Linux and Windows nodes.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

The documentation for using Kerberos tickets is incomplete

mhvelplund opened this issue · comments

commented

Is your feature request related to a problem?/Why is this needed
Looking at the documentation for Kerberos there are some confusing examples and apparently missing information.

Describe the solution you'd like in detail
I think the documentation for the Kerberos setup has some mistakes. Changing the lines:

export KRB5CCNAME=/tmp/ccache # Use temporary file for the cache
# ...
kubectl create secret generic smbcreds-krb5 --from-literal krb5cc_1000=$CCACHE

to:

export KRB5CCNAME="/var/lib/kubelet/kerberos/krb5cc_1000"
# ...
kubectl create secret generic smbcreds-krb5 --from-literal username=USERNAME --from-literal krb5cc_1000=$CCACHE

... should fix the example.

Describe alternatives you've considered
N/A

Additional context
When I was trying to get the Kerberos ticket working, I followed the documentation in the link above and the sample StorageClass example.

When I tried to create a PersistentVolumeClaim in a pod, it would fail deployment while trying to start with the following message:

Events:                                                                                                                                                                         
  Type     Reason       Age               From               Message                                                                                                            
  ----     ------       ----              ----               -------                                                                                                            
  Normal   Scheduled    15s               default-scheduler  Successfully assigned cifs-test/cifs-test-5954dd6cd5-wmrkt to ip-10-11-12-13.eu-central-1.compute.internal
  Warning  FailedMount  7s (x5 over 15s)  kubelet            MountVolume.MountDevice failed for volume "pvc-badc58e4-3b11-4fcb-9173-9bea8a9410cd" : rpc error: code = Internal d
esc = volume(shares.contoso.net/customers#pvc-badc58e4-3b11-4fcb-9173-9bea8a9410cd#) mount "//shares.contoso.net/customers" on "/var/lib/kubelet/plugins/kuber
netes.io/csi/smb.csi.k8s.io/b8e8ce74d6ff1b3910dad188b97757f0bc16227ab3e19c8498bb203914273b16/globalmount" failed with mount failed: exit status 1
Mounting command: mount
Mounting arguments: -t cifs -o cache=strict,cruid=0,dir_mode=0770,file_mode=0660,gid=60000,mfsymlinks,noexec,noperm,noserverino,nosuid,seal,sec=krb5,uid=1000,vers=3.0,<masked> 
//shares.contoso.net/customers /var/lib/kubelet/plugins/kubernetes.io/csi/smb.csi.k8s.io/b8e8ce74d6ff1b3910dad188b97757f0bc16227ab3e19c8498bb203914273b16/globalmount  
Output: username specified with no parameter

After scratching my head for a while and trying to use the same mount arguments as those shown in the message (minus the masked part), I could see that the Kerberos ticket was working and the drive could be mounted.

I started digging around the code for something related to the last message, "username specified with no parameter", and stumbled upon the PR where the feature originated.

image

Just for fun, updated my secret to include the username again, and now it works. So either there is a bug, or the documentation should be reverted to @yerenkow's original text as described above.