How to disable recursive group change (fsGroupPolicy) in Azure File CSI Driver on AKS

Question

How to disable recursive group change (fsGroupPolicy) in Azure File CSI Driver on AKS

Pablo Zambrano 0

We are experiencing excessive delays (e.g., 30 minutes) during volume mounting due to the managed Azure File CSI driver performing recursive chgrp operations when fsGroup is set in pod securityContext.

This appears to be due to fsGroupPolicy being set to ReadWriteOnceWithFSType by default in the managed driver (file.csi.azure.com).

We would like to:

Understand whether it's possible to configure fsGroupPolicy: None in the managed CSI driver.

If not, request official guidance or support on safely replacing the managed CSI driver with the open-source version that allows setting fsGroupPolicy.

Platform: AKS

Region: Australia East

Kubernetes Version: 1.31.7

Driver Version: v1.30.6

Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-22T16:16:16.2833333+00:00

Hi Pablo Zambrano,
I have a added few additional steps on how to install the open-source CSI driver and disable the existing one. If this was helpful, please give an upvote on the first posted comment and let us know if you need anything else
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-23T03:09:11.5+00:00

Hi Pablo Zambrano,,
Just wanted to check on my previous response If you need any other information, please let me know will help you.!
Pablo Zambrano 0 Reputation points

2025-05-23T03:42:16.9833333+00:00
Hi @Akshay kumar Mandha ,

Thanks again for your detailed instructions and support.

We’ve completed the transition to the open-source Azure File CSI driver using Helm, and have disabled the Azure-managed CSI driver on our AKS cluster (v1.31.7, Australia East). The fsGroupPolicy is now explicitly set to None in the CSIDriver resource:

apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: annotations: csiDriver: v1.33.0 meta.helm.sh/release-name: azurefile-csi meta.helm.sh/release-namespace: kube-system snapshot: v8.2.1 creationTimestamp: "2025-05-23T02:29:02Z" generation: 1 labels: app.kubernetes.io/component: csi-driver app.kubernetes.io/instance: azurefile-csi app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: azurefile-csi-driver app.kubernetes.io/part-of: azurefile-csi-driver app.kubernetes.io/version: 1.33.0 helm.sh/chart: azurefile-csi-driver-1.33.0 name: file.csi.azure.com resourceVersion: "77636086" uid: 7e341756-a732-45bf-9eca-ee4bb0531504 spec: attachRequired: false fsGroupPolicy: None podInfoOnMount: true requiresRepublish: false seLinuxMount: false storageCapacity: false tokenRequests: - audience: api://AzureADTokenExchange volumeLifecycleModes: - Persistent - Ephemeral

However, we are still experiencing the same issue — when a pod that sets fsGroup in its securityContext mounts a volume, the CSI driver appears to perform a recursive chgrp on the volume contents. This operation takes 25–30 minutes on larger volumes, which causes pods (especially compute server pods in SAS Viya) to fail due to timeout.

We’ve reviewed the CSI driver logs, and while we no longer see explicit chgrp or chmod commands in some cases, the mount delay behavior remains, and directory contents still reflect fsGroup ownership applied recursively.

So here I have furthet questions:

Is this behavior expected even when fsGroupPolicy: None is set in the CSI driver?

Could this be due to a fallback or hidden configuration in AKS that overrides the CSI driver setting?

How can we fully disable recursive group ownership changes to avoid blocking pod startup?

Important: We noticed that after restarting the AKS cluster, the open-source CSI driver disappears, and we have to reinstall it. What is the correct and persistent way to ensure the open-source driver survives cluster restarts or upgrades?

Thanks again — looking forward to your advice
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-23T03:56:43.8133333+00:00
Hi Pablo Zambrano,
Thanks for your reply
Based on Microsoft's documentation, previously mentioned the open-source Azure File CSI driver may not be officially supported. Given that setting fsGroupPolicy: None still results in significant mount delays, it is advisable to use the Azure-managed CSI driver instead. Additionally, to avoid these delays, removing the securityContext permissions from the pod configuration might be the best approach. While this behavior appears to be expected, it is not explicitly mentioned in the official documentation

On recursive group ownership changes
I found an article stating that if we set fsGroupChangePolicy to OnRootMismatch, Kubernetes will only check the root volume. If the required permissions are already set, it will skip checking all other files. To avoid delays caused by recursive group ownership changes, use the following configuration.

securityContext: runAsUser: 1000 runAsGroup: 2000 fsGroup: 3000 fsGroupChangePolicy: "OnRootMismatch"

Screenshot for your reference

Please refer below link article for more information
https://pet2cattle.com/2022/02/volume-permissions-fsgroupchangepolicy

Disclaimer: There are links to non-Microsoft websites. The pages appear to be providing accurate, safe information. Watch out for ads on the sites that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the sites before you decide to download and install it.

On below question
4.Important: We noticed that after restarting the AKS cluster, the open-source CSI driver disappears, and we have to reinstall it. What is the correct and persistent way to ensure the open-source driver survives cluster restarts or upgrades?

Suggested inputs
the document does not support manual installation due to certain constraints. By default, the manually installed CSI driver will disappear, and even after attempting various methods, it still gets removed. Without official support for open-source CSI drivers, you may encounter additional issues in the future.

Until Microsoft officially confirms that manual installation of open-source CSI drivers is supported, proceeding with this setup remains uncertain. Despite multiple attempts to make it work, there is always a risk that the driver may disappear again at any point.

The only possible solution, based on the steps mentioned above, is to remove the fsGroup permission as referenced in the article and use the managed CSI driver exclusively. I recommend using managed CSI drivers.

Note: This is an article, not an official source, regarding changes to the fsGroup permission settings

Let me know if you need further clarification
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-26T01:47:39.54+00:00

Hi Pablo Zambrano,
Just wanted to check on my previous response If you need any other information, please let me know will help you.!
Pablo Zambrano 0 Reputation points

2025-05-27T01:14:35.3033333+00:00

Hi @Akshay kumar Mandha
I reviewed the pod configuration, and it does have this property: fsGroupChangePolicy: "OnRootMismatch". I will follow up with the vendor regarding changing the fsGroup from the pod's securityContext.
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-27T03:15:55.1233333+00:00

Hi Pablo Zambrano,
Thank you for your reply and update.
Could you please follow up with him to try removing the securityContext and check once? This will help us determine if it results in the same response or if the pod still experiences the same delay. This way, we can know
If it is working only the option to use remove security context
If this option doesn’t work, we will need to look for other solutions. It might be that by default, things don’t change in the managed CSI driver, as we have the default one
I will also check for any alternative sources or information. If I find anything, I will inform you here first.

Please let me know if you have any other queries—just tag me in the comments. I’m happy to help you.
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-28T01:02:41.58+00:00

Hi Pablo Zambrano,,
If you have any updates or further queries, please let me know. I’ll be happy to assist you as needed.!
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-29T05:09:27.97+00:00

Hi Pablo Zambrano,,
just following up to see on my previous response if you get any update and please let me know if you any further query

1 answer

Your answer

Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-22T16:16:16.2833333+00:00

Hi Pablo Zambrano,
I have a added few additional steps on how to install the open-source CSI driver and disable the existing one. If this was helpful, please give an upvote on the first posted comment and let us know if you need anything else
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-23T03:09:11.5+00:00

Hi Pablo Zambrano,,
Just wanted to check on my previous response If you need any other information, please let me know will help you.!
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-26T01:47:39.54+00:00

Hi Pablo Zambrano,
Just wanted to check on my previous response If you need any other information, please let me know will help you.!
Pablo Zambrano 0 Reputation points

2025-05-27T01:14:35.3033333+00:00

Hi @Akshay kumar Mandha
I reviewed the pod configuration, and it does have this property: fsGroupChangePolicy: "OnRootMismatch". I will follow up with the vendor regarding changing the fsGroup from the pod's securityContext.
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-27T03:15:55.1233333+00:00

Hi Pablo Zambrano,
Thank you for your reply and update.
Could you please follow up with him to try removing the securityContext and check once? This will help us determine if it results in the same response or if the pod still experiences the same delay. This way, we can know
If it is working only the option to use remove security context
If this option doesn’t work, we will need to look for other solutions. It might be that by default, things don’t change in the managed CSI driver, as we have the default one
I will also check for any alternative sources or information. If I find anything, I will inform you here first.

Please let me know if you have any other queries—just tag me in the comments. I’m happy to help you.
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-28T01:02:41.58+00:00

Hi Pablo Zambrano,,
If you have any updates or further queries, please let me know. I’ll be happy to assist you as needed.!
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-29T05:09:27.97+00:00

Hi Pablo Zambrano,,
just following up to see on my previous response if you get any update and please let me know if you any further query

Answer 1

Hi Pablo Zambrano,
Based on your query, the documentation does not explicitly mention the ability to change this policy. However, I attempted to modify the policy on my side, but after a certain period, it reverted to the default setting: ReadWriteOnceWithFSType. When I changed it to None, it was automatically reset to the default version. by using below command

kubectl edit csidriver file.csi.azure.com

As an alternative, if file permissions are already correct, removing fsGroup from the pod's securityContext prevents Kubernetes from triggering recursive ownership changes (chgrp), effectively reducing mount delays.

Added steps below installing open-source CSI driver
To install the open-source CSI driver instead of the Azure-managed version, you must first disable the Azure CSI driver. Before doing so, you need to properly eject the PVC and PV; otherwise, they may misbehave or become stuck. If the PVC and PV are not detached correctly, they will remain attached to the existing configuration and cannot be overridden.

If your pod is using the storage, you must delete the pod or remove the mount configuration from the YAML file before ejecting the PVC and PV. Once the PVC and PV are no longer attached to any pod, if you are unable to detach you need the PV and PVC delete those things then you can safely disable the Azure-managed CSI driver using the following command:

az aks update \
  --name <clsutername> \
  --resource-group <resourcegrp> \
  --disable-file-driver

To verify the driver has been disabled, use:

kubectl get csidriver

After that, you can install the open-source Azure File CSI driver using Helm:
I'm adding below command to your private message please check here I'm unable post the command

Update command <----->

helm install azurefile-csi azurefile-csi-driver/azurefile-csi-driver \
--namespace kube-system \
--set linux.enabled=true \
--set windows.enabled=false \
--set controller.replicas=1

Then check whether the driver was installed successfully with: kubectl get csidriver

To verify whether the driver is managed by Azure or installed manually, run inspect the elements

kubectl describe csidriver file.csi.azure.com

And then Edit the CSI driver using the command below to change fsGroupPolicy to None. Once applied, as shown in the screenshot, it should work as expected. changes was applied on the open source csi driver

User's image

After modifying the CSI driver, recreate or update the PVC and PV YAML files in the same way as you initially did for the Azure-managed version. Deploy the cluster and, once the pod is running, verify that you can see the mounted storage files within the pod. If you can access the files from the pod, the setup is working correctly. after the above steps I have check in my lab I'm able to see the mount storage file from pod as shown below screenshot
User's image

For you check whether operations are taking excessive time after setting fsGroupPolicy to None. If delays persist, consider removing the security context from your pod configuration to avoid unnecessary overhead. If performance issues continue, reverting to the Azure-managed CSI driver may be necessary

Disclaimer
If you face any issues for deploying this driver manually is not an officially supported Microsoft product. For a fully managed and supported Kubernetes experience, use AKS with the Azure-managed File CSI driver. Screenshot for your reference
User's image

Please refer the below documentation for more information
https://github.com/kubernetes-sigs/azurefile-csi-driver

Important note: Before performing any activity using these steps, make sure to take a backup of the configuration and data. It is recommended to use a test environment to avoid potential issues.

Please let me know if you have any further queries, and I will be happy to help as needed! If this was helpful, please give it an upvote and let us know.

Share via

How to disable recursive group change (fsGroupPolicy) in Azure File CSI Driver on AKS

1 answer

Your answer