feat: add RBAC permissions and fix pod reconciler for DaemonSet mount mode

This commit completes the DaemonSet mount mode implementation with several critical fixes:

RBAC Updates:
- Add DaemonSet permissions (get, list, watch, create, update, patch) to CSI node service account
- Update both k8s.yaml and k8s_before_v1_18.yaml deployment manifests
- Enable CSI node pods to manage DaemonSets for mount pod lifecycle

Pod Reconciler Improvements:
- Add logic to detect mount mode transitions (shared-pod to DaemonSet)
- Prevent recreation loops when switching between mount modes
- Skip pod recreation when DaemonSet mode is active for a StorageClass
- Properly clean up finalizers to allow seamless mode transitions

Documentation:
- Clarify all three mount modes: pvc, shared-pod, and daemonset
- Document RBAC requirements for DaemonSet operations
- Specify that nodeAffinity is only required for daemonset mode
- Add comprehensive setup instructions including controller env variable requirement
- Include example ConfigMap with proper mode configuration

ConfigMap Template:
- Update example mount-config.yaml with correct nodeAffinity selector
- Show proper mode configuration for both default and specific StorageClasses

These changes enable smooth operation of DaemonSet mount mode and proper
handling of transitions between different mount modes without manual intervention.

Author: elijah-rou

deploy/k8s.yaml

@@ -256,6 +256,17 @@ rules:
   - nodes
   verbs:
   - list
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

deploy/k8s_before_v1_18.yaml

@@ -256,6 +256,17 @@ rules:
   - nodes
   verbs:
   - list
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

deploy/kubernetes/csi-daemonset-mount/mount-config.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: juicefs-mount-config
-  namespace: kube-system
+  namespace: juicefs
 data:
   # Default configuration for all StorageClasses
   default: |

docs/en/guide/daemonset-mount.md

@@ -4,35 +4,71 @@ This feature allows JuiceFS CSI Driver to deploy Mount Pods as DaemonSets instea
 
 ## Overview
 
-When `STORAGE_CLASS_SHARE_MOUNT` is enabled, JuiceFS CSI Driver shares Mount Pods across multiple PVCs that use the same StorageClass. By default, these are created as individual Pods. With the DaemonSet option, Mount Pods are deployed as DaemonSets, providing:
+When `STORAGE_CLASS_SHARE_MOUNT` is enabled, JuiceFS CSI Driver shares Mount Pods across multiple PVCs that use the same StorageClass. By default, these are created as individual shared Pods. With the DaemonSet option, Mount Pods are deployed as DaemonSets, providing:
 
 - **Better resource control**: DaemonSets ensure one Mount Pod per selected node
 - **Node affinity support**: Control which nodes run Mount Pods using nodeAffinity
 - **Automatic lifecycle management**: DaemonSets handle Pod creation/deletion automatically
 - **Simplified operations**: Easier to manage and monitor Mount Pods
 - **Works with existing StorageClasses**: No need to modify or recreate StorageClasses
+- **Automatic mode transition**: Seamlessly switches from shared-pod to DaemonSet mode
 
-## Configuration
+## Prerequisites
+
+### 1. Enable Mount Sharing
+
+Set the `STORAGE_CLASS_SHARE_MOUNT` environment variable in **BOTH** the CSI Controller and CSI Node components:
+
+```yaml
+# For StatefulSet (Controller)
+kubectl set env statefulset/juicefs-csi-controller -n kube-system STORAGE_CLASS_SHARE_MOUNT=true
+
+# For DaemonSet (Node)
+kubectl set env daemonset/juicefs-csi-node -n kube-system STORAGE_CLASS_SHARE_MOUNT=true
+```
+
+Or add to your Helm values:
+
+```yaml
+node:
+  storageClassShareMount: true
+controller:
+  storageClassShareMount: true  # Note: This may need to be added to the Helm chart
+```
 
-### Enable DaemonSet Mount
+### 2. Grant RBAC Permissions
 
-DaemonSet mount is automatically available when mount sharing is enabled. To enable mount sharing, set this environment variable in the CSI Driver deployment:
+The CSI Node service account needs permissions to manage DaemonSets. Add these permissions:
 
 ```yaml
-env:
-  - name: STORAGE_CLASS_SHARE_MOUNT
-    value: "true"
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
 ```
 
-Once enabled, you can configure specific StorageClasses to use DaemonSet mode via the ConfigMap (see below).
+This is included in the latest deployment manifests (`deploy/k8s.yaml`).
+
+## Configuration
+
+### Mount Modes
 
-### Configure Node Affinity
+JuiceFS CSI Driver supports three mount modes:
 
-There are two ways to configure node affinity for DaemonSet Mount Pods:
+1. **`pvc`** (or `mountpod`): One mount pod per PVC - each PVC gets its own dedicated mount pod
+2. **`shared-pod`**: One shared mount pod per StorageClass per node - multiple PVCs share a mount pod
+3. **`daemonset`**: One DaemonSet for the entire StorageClass - ensures one mount pod per selected node
 
-#### Method 1: ConfigMap (Recommended for existing StorageClasses)
+### Configure Mount Mode and Node Affinity
 
-Create a ConfigMap to define node affinity for your StorageClasses without modifying them:
+Create a ConfigMap to configure mount mode and optionally node affinity:
 
 ```yaml
 apiVersion: v1
@@ -43,25 +79,27 @@ metadata:
 data:
   # Default configuration for all StorageClasses
   default: |
-    nodeAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-        nodeSelectorTerms:
-        - matchExpressions:
-          - key: node-role.kubernetes.io/control-plane
-            operator: DoesNotExist
+    mode: shared-pod  # Options: "pvc", "shared-pod", "daemonset"
+    # nodeAffinity is NOT required for pvc or shared-pod modes
   
   # Configuration for specific StorageClass by name
-  my-existing-storageclass: |
-    nodeAffinity:
+  my-storageclass: |
+    mode: daemonset
+    nodeAffinity:  # Required for daemonset mode to control which nodes run mount pods
       requiredDuringSchedulingIgnoredDuringExecution:
         nodeSelectorTerms:
         - matchExpressions:
-          - key: juicefs/mount-node
+          - key: node.kubernetes.io/workload
             operator: In
             values:
-            - "true"
+            - "compute"
 ```
 
+**Important notes:**
+- `mode`: Choose from `pvc`, `shared-pod`, or `daemonset`
+- `nodeAffinity`: Only required for `daemonset` mode to control which nodes the DaemonSet runs on
+  - NOT required for `pvc` or `shared-pod` modes (pods are created on-demand where PVCs are used)
+
 This method works with existing StorageClasses without any modifications.
 
 #### Method 2: StorageClass Parameters (For new StorageClasses)

pkg/controller/pod_driver.go

@@ -462,6 +462,25 @@ func (p *PodDriver) podDeletedHandler(ctx context.Context, pod *corev1.Pod) (Res
 
 	// create
 	if len(existTargets) != 0 && !hasAvailPod {
+		// Check if we're using DaemonSet mode for this storage class
+		// If so, don't recreate shared pods - let DaemonSet handle it
+		if config.StorageClassShareMount && setting != nil {
+			// Load mount configuration to check mode
+			if err := config.LoadMountConfig(ctx, p.Client, setting); err != nil {
+				log.Error(err, "Failed to load mount config, continuing with pod recreation")
+			} else if config.ShouldUseDaemonSet(setting) {
+				log.Info("Mount mode is DaemonSet, skipping pod recreation", 
+					"storageClass", setting.StorageClass,
+					"uniqueId", setting.UniqueId)
+				// Just remove finalizer and let DaemonSet handle the mount
+				if err := resource.RemoveFinalizer(ctx, p.Client, pod, common.Finalizer); err != nil {
+					log.Error(err, "remove pod finalizer error")
+					return Result{}, err
+				}
+				return Result{}, nil
+			}
+		}
+		
 		// create pod
 		newPodName := podmount.GenPodNameByUniqueId(resource.GetUniqueId(*pod), true)
 		log.Info("pod targetPath not empty, need to create a new one", "newPodName", newPodName)