fix: read allowUnsafePathPattern from storageclass annotations

derekbit · derekbit · commit 7569c8dba71e · 2026-01-06T15:47:18.000+08:00
Signed-off-by: Derek Su &lt;derek.su@suse.com&gt;
diff --git a/provisioner.go b/provisioner.go
@@ -317,9 +317,13 @@ func pathFromPattern(pattern string, opts pvController.ProvisionOptions, allowUn
 		return "", err
 	}
 
+	if allowUnsafePath {
+		return buf.String(), nil
+	}
+
 	path := buf.String()
 	fixedBasePathPrefix := filepath.Join(opts.PVC.Namespace, opts.PVC.Name) + string(filepath.Separator)
-	if !allowUnsafePath && !strings.HasPrefix(path, fixedBasePathPrefix) {
+	if !strings.HasPrefix(path, fixedBasePathPrefix) {
 		return "", fmt.Errorf("pathPattern must start with {{ .PVC.Namespace }}/{{ .PVC.Name }}/: %s", path)
 	}
 
@@ -385,6 +389,16 @@ func (p *LocalPathProvisioner) provisionFor(opts pvController.ProvisionOptions,
 				logrus.Warnf("failed to parse allowUnsafePathPattern %v, defaulting to false: %v", allowUnsafePathPattern, err)
 				allowUnsafePath = false
 			}
+		} else {
+			// Read from storageclass annotation for backward compatibility
+			allowUnsafePathAnnotation, exists := opts.StorageClass.GetAnnotations()["allowUnsafePathPattern"]
+			if exists {
+				allowUnsafePath, err = strconv.ParseBool(allowUnsafePathAnnotation)
+				if err != nil {
+					logrus.Warnf("failed to parse allow-unsafe-path-pattern annotation %v, defaulting to false: %v", allowUnsafePathAnnotation, err)
+					allowUnsafePath = false
+				}
+			}
 		}
 		folderName, err = pathFromPattern(pathPattern, opts, allowUnsafePath)
 		if err != nil {
diff --git a/test/pod_test.go b/test/pod_test.go
@@ -167,6 +167,12 @@ func (p *PodTestSuite) TestPodWithSkipPathPatternCheck() {
 	runTest(p, []string{p.config.IMAGE}, "ready", hostPathVolumeType)
 }
 
+func (p *PodTestSuite) TestPodWithSkipPathPatternCheckByAnnotation() {
+	p.kustomizeDir = "skip-path-pattern-check-by-annotation"
+
+	runTest(p, []string{p.config.IMAGE}, "ready", hostPathVolumeType)
+}
+
 // ADD THIS NEW TEST METHOD
 func (p *PodTestSuite) TestPathTraversalPrevention() {
 	testCases := []struct {
diff --git a/test/testdata/skip-path-pattern-check-by-annotation/kustomization.yaml b/test/testdata/skip-path-pattern-check-by-annotation/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../../deploy
+- storage-class.yaml
+- pod.yaml
+- pvc.yaml
+images:
+- name: rancher/local-path-provisioner
+  newTag: dev
+labels:
+- includeSelectors: true
+  pairs:
+    app: local-path-provisioner
+patches:
+- path: local-path-config.yaml
diff --git a/test/testdata/skip-path-pattern-check-by-annotation/local-path-config.yaml b/test/testdata/skip-path-pattern-check-by-annotation/local-path-config.yaml
@@ -0,0 +1,19 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: local-path-config
+  namespace: local-path-storage
+data:
+  config.json: |-
+    {
+            "storageClassConfigs":{
+                   "local-path-skip-path-pattern-check-by-annotation": {
+                          "nodePathMap": [
+                          {
+                                  "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
+                                  "paths":["/opt/local-path-provisioner"]
+                          }
+                          ]
+                   }
+            }
+    }
diff --git a/test/testdata/skip-path-pattern-check-by-annotation/pod.yaml b/test/testdata/skip-path-pattern-check-by-annotation/pod.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: volume-test
+spec:
+  containers:
+  - name: volume-test
+    image: nginx:stable-alpine
+    imagePullPolicy: IfNotPresent
+    volumeMounts:
+    - name: volv
+      mountPath: /data
+    ports:
+    - containerPort: 80
+  volumes:
+  - name: volv
+    persistentVolumeClaim:
+      claimName: local-path-pvc
diff --git a/test/testdata/skip-path-pattern-check-by-annotation/pvc.yaml b/test/testdata/skip-path-pattern-check-by-annotation/pvc.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app: test
+  name: local-path-pvc
+spec:
+  storageClassName: local-path-skip-path-pattern-check-by-annotation
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Mi
diff --git a/test/testdata/skip-path-pattern-check-by-annotation/storage-class.yaml b/test/testdata/skip-path-pattern-check-by-annotation/storage-class.yaml
@@ -0,0 +1,12 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: local-path-skip-path-pattern-check-by-annotation
+  annotations:
+    allowUnsafePathPattern: "true"
+provisioner: rancher.io/local-path
+parameters:
+  nodePath: /opt/local-path-provisioner
+  pathPattern: "/opt/../{{ .PVC.Namespace }}_{{ .PVC.Name }}/../etc/"
+volumeBindingMode: WaitForFirstConsumer
+reclaimPolicy: Delete
diff --git a/test/testdata/skip-path-pattern-check/storage-class.yaml b/test/testdata/skip-path-pattern-check/storage-class.yaml
@@ -6,6 +6,6 @@ provisioner: rancher.io/local-path
 parameters:
   nodePath: /opt/local-path-provisioner
   allowUnsafePathPattern: "true"
-  pathPattern: "/opt/../{{ .PVC.Namespace }}/{{ .PVC.Name }}/../etc/"
+  pathPattern: "/opt/../{{ .PVC.Namespace }}_{{ .PVC.Name }}/../etc/"
 volumeBindingMode: WaitForFirstConsumer
 reclaimPolicy: Delete
