We are excited to announce another release of Ceph CSI, v3.17.0. This is another significant step towards using enhanced Container Storage Interface (CSI) features with Ceph Cluster in the backend. With this release, we are introducing many brand-new features and enhancements to the Ceph CSI driver. Here are the changelog/release highlights.

Changelog and Highlights:

NOTE

• The --setmetadata flag has been deprecated and has no effect. Metadata is now always set on RBD images and CephFS subvolumes. The flag will be removed in a future release (#6225).

Features

Kubernetes ServiceAccount Based Volume Access Restriction

This release introduces ServiceAccount based volume access restriction across all drivers (RBD, CephFS, NFS, NVMe-oF), enabling fine-grained access control for volumes based on Kubernetes ServiceAccount identity. Refer to the design proposal and #6076 for more details.

RBD

• VolumeAttributesClass QoS: Use VolumeAttributesClass feature to implement RBD volume QoS via ControllerModifyVolume, allowing dynamic QoS parameter changes without recreating volumes (this is only supported for nbd mounter) (#6160)
• StorageClass image features for temp clones and snapshots: Temp clones and snapshot backing images now use StorageClass image features (#6205)
• Fix missing data pool in PVC restore and clone images: Fixed data pool not being set correctly during PVC restore and clone operations (#6086)
• DiffIterateByID fix: Fixed Length calculation in DiffIterateByID (#6200)
• PV metadata updates: Update PV metadata on volumes (#6059)
• Enable WholeObject & IncludeParent in snap diff (#6279)
• GKLM KMS over KMIP: Added support for GKLM (Guardium Key Lifecycle Manager) KMS over KMIP protocol (#6048)

CephFS

• VolumeGroupReplication RBAC: Added RBAC for VolumeGroupReplication resources (#6233)
• CSI metadata on subvolumes: Added SetSubVolCSIMetadata to set CSI metadata on subvolumes (#6174)
• Improved unfencing: Use RemoveNetworkFence directly for unfencing (#6278)

NFS

• ControllerModifyVolume: Allow changing NFS-server hostname through ControllerModifyVolume (#5829)

NVMe-oF

• DH-CHAP authentication: Added DH-CHAP authentication support for NVMe-oF connections, enabling secure host authentication at both controller publish and node stage levels (#5913)
• Snapshot support: Relay CreateSnapshot/DeleteSnapshot to RBD backend for NVMe-oF volumes (#5928)
• Auto listeners: Added auto listener feature for NVMe-oF gateway listeners (#5891)
• Safe controller disconnect: Implemented safe controller disconnect logic with device tracking (#6163)
• Mount cache and locking: Added mount cache and GroupLock for safe NVMe disconnect during stage/unstage operations (#6192, #6210)
• Namespace masking: Added namespace masking calls for NVMe-oF (#6241)
• Optional gateway port: Made nvmeofGatewayPort an optional StorageClass parameter (#6230)
• IP address resolution: Support resolving IP address for NVMe-oF gateway listeners by hostname (#6061)
• GroupLock utility: Added GroupLock for two-group mutual exclusion (#6183)

Common

• VolumeID validation: Added validator for VolumeID in incoming gRPC requests (#5957)
• Allow underscores in volume ID: Volume IDs now support underscores (#6094)
• Slow gRPC restart: The CSI driver process is now automatically restarted if any unary gRPC call is stuck for more than 10 minutes. ReclaimSpace calls are excluded from this limit. Use --feature-gates=SlowGRPCRestart=false to disable (#6286)
• VolumeLocks for NodeGetVolumeStats: Added VolumeLocks to NodeGetVolumeStats for RBD and CephFS (#6291)

What's Changed

NVMe-oF

• Fix CSI node plugin crash on immutable Linux distributions (#6165)
• Fix NVMe-oF resource cleanup on CreateVolume failure (#5936)
• Fix removeHost bug (#6084)
• Fix dhchap key-value bug in rbd metadata (#6085)
• Add check return status at removeHost (#6124)
• Treat "connecting" state as valid in path detection (#5974)

RBD

• Revert "rbd: fetch the volumeIds from VGRContent's status for omap data" (#5962)
• Validate mounter type in ControllerModifyVolume (#6229)

Other

• Use go-ceph blocklist APIs (#6054)
• Use csi objectuuid for rados locks (#6204)
• Include stderr in cryptsetup errors (#6036)
• Disable informers on secrets (#5984)

Continuous Integration and Testing

• Start testing the devel branch with Kubernetes 1.35 (#5973)
• Use Rook 1.19.3 and Ceph Tentacle (#5672)
• Use minikube v1.38.0 and v1.38.1 (#5993, #6138)
• Enable NVMe-oF testing by default (#5641)
• Add volume expansion tests for NVMe-oF (#6058)
• Enable fail-fast to abort suite on first test failure (#6088)
• Convert By() to It() and use Ordered containers (#6136)
• Add markdown links validation action (#6092)
• Cache mon IPs, clusterID, and parallelize readiness checks (#6114)
• Add testing for EC pool (#6086)
• Update ceph-csi-operator API from v1alpha1 to v1 (#6218)
• Upgrade from v3.16.0 for upgrade tests (#5932)

Deployment

• Add deployment files for NVMe-oF (#5641)
• Update CSI sidecars to latest versions available (#6112)
• Use GA versions of sidecars everywhere (#6189)
• Add SecurityContextConstraints to NVMe-oF ServiceAccounts (#6249)
• Add RBAC for csi-provisioner to access VolumeAttributesClass (#6160)
• Allow NFS-provisioner to access VolumeAttributesClasses (#5829)

Helm Charts

• Fix domainLabels empty array handling in template (#5990)

Documentation

• Add design proposal for K8s SA based volume access restriction (#6076)
• Add NVMe-oF DH-CHAP feature doc design (#6063)
• Document current NVMe-oF features (#6065)
• Add documentation for GKLM KMS (#6048)
• Add examples for NVMe-oF and NVMe-oF snapshots (#5641)
• Update QoS design doc and VolumeAttributesClass documentation (#6264)
• Mention encryption is not supported for static PVC (#6212)
• Add AGENTS.md with guidance for AI agents (#6181)
• Fix broken links in docs (#6082)

Build and Cleanups

• Adapt to go-ceph 0.38.0 and 0.39.0 blocklist API changes (#6069, #6245)
• Add go-lint-fix Makefile target for golangci-lint autofix (#6208)
• Deprecate the --setmetadata flag from configuration (#6225)
• Refactor tryAcquire function to reduce complexity (#6115)
• Use SetWriteDeadline for writeTimeout (#6115)
• Fix encryptedMetedataDEK typo (#6115)

Updates of dependencies

• Bump k8s.io/kubernetes from 1.35.0 to 1.35.4 (#6068, #6152, #6195, #6242)
• Bump k8s.io/api from 0.35.0 to 0.36.0 (#6070, #6153, #6196, #6243)
• Bump github.com/ceph/go-ceph from 0.37.0 to 0.39.0 (#6069, #6245)
• Bump github.com/ceph/ceph-nvmeof/lib/go/nvmeof (#5947)
• Bump google.golang.org/grpc from 1.78.0 to 1.81.0 (#6071, #6172, #6188, #6223, #6262)
• Bump github.com/hashicorp/vault/api from 1.22.0 to 1.23.0 (#6197)
• Bump github.com/onsi/ginkgo/v2 (#6255)
• Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#6220)
• Bump sigs.k8s.io/controller-runtime from 0.22.4 to 0.23.1 (#5945, #5976)
• Bump github.com/csi-addons/kubernetes-csi-addons from 0.13.0 to 0.14.0 (#5946)
• Bump github.com/kubernetes-csi/csi-lib-utils (#6009)
• Bump golang.org/x/oauth2 (#6040, #6166)
• Bump golang.org/x/sync (#6173)
• Bump go.opentelemetry.io/otel/sdk from 1.38.0 to 1.43.0 (#6143, #6227)
• Bump actions/github-script from 8.0.0 to 9.0.0 (#6231)
• Bump actions/checkout from 6.0.1 to 6.0.2 (#5975)
• Bump actions/stale from 10.1.1 to 10.2.0 (#6118)
• Bump actions/dependency-review-action from 4.8.2 to 4.9.0 (#6117, #6168)
• Multiple other dependency updates in k8s-dependencies, github-dependencies, and golang-dependencies groups

New Contributors

• @FreekingDean made their first contribution in #6094
• @keshavsoni251199 made their first contribution in #5990
• @philipp-intelliroad made their first contribution in #6082
• @pschichtel made their first contribution in #5951
• @kaovilai made their first contribution in #6208

Full Changelog: v3.16.0...v3.17.0