Allow setting UID for a OpenEBS NFS PVC

[RafaelMoreira1180778]

Describe the problem/challenge you have

I work with Magento 2 daily and currently, our setup, uses containers that, due to security reasons, have their default user as "nobody" because this way, in the event of a security breach or any kind of problem the exposed user can't do much besides reading and writing to the folder that he is isolated.

The problem is that, with 10 pods running 1 container each, we have a ton of logs so we use Open-EBS NFS on top of Jiva to volume-mount an NFS PVC that allows all the containers to write to the logs at the same time and we have one centralized solutions for the logs.

Currently there is only support for FSGID, this sets the Group ID and also sets the permissions for that PVC in such a way that allows an user on the group 'nobody' to read and write in that volume-mount.

Describe the solution you'd like

In our entire infrastructure, the logs folder is the one with the biggest exposure because it's the one that has an actual access, all the other ones are isolated to the container, no one can access them.

I would like to be able to set the owner of the PVC and the permissions of the PVC the same way as I set the FSGID.

Anything else you would like to add:
Here is a code snippet of what I currently use with a few touches of what I would like to see being possible:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: openebs-nobody-rwx
  annotations:
    openebs.io/cas-type: nfsrwx
    cas.openebs.io/config: |
      - name: NFSServerType
        value: "kernel"
      - name: BackendStorageClass
        value: "openebs-jiva-csi-default"
      - name: UID
        value: "65534"
      - name: FSGID
        value: "65534"
      - name: Permissions
        value: "744"
provisioner: openebs.io/nfsrwx
reclaimPolicy: Delete

As you can see I added UID and Permissions to the cas.openebs.io config and this would allow me to set the owner and the permissions to drw-r--r--, which would be great for my use case.

Environment:

• OpenEBS version (use kubectl get po -n openebs --show-labels): openebs.io/version=2.12.0
• Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"22+", GitVersion:"v1.22.2-3+67c78072cd01dd", GitCommit:"67c78072cd01dda1a3f9cd846849611be47a9ada", GitTreeState:"clean", BuildDate:"2021-10-14T05:08:53Z", GoVersion:"go1.16.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"22+", GitVersion:"v1.22.2-3+67c78072cd01dd", GitCommit:"67c78072cd01dda1a3f9cd846849611be47a9ada", GitTreeState:"clean", BuildDate:"2021-10-14T05:03:53Z", GoVersion:"go1.16.9", Compiler:"gc", Platform:"linux/amd64"}

• Cloud provider or hardware configuration: Using Microk8s on AWS EC2 instances

microk8s v1.22.2

• OS (e.g: cat /etc/os-release): Ubuntu 20.4 (3x nodes in one cluster, all the same)
• kernel (e.g: uname -a): Linux main 5.4.0-88-generic chore(cherry-pick): For PR 89...92, 94, 98 #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Vote on this issue!

This is an invitation to the OpenEBS community to vote on issues.
Use the "reaction smiley face" up to the right of this comment to vote.

• 👍 for "The project would be better with this feature added"
• 👎 for "This feature will not enhance the project in a meaningful way"