Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-354

Secure Ephemeral CSI Volume Mounts

    XMLWordPrintable

Details

    • Epic
    • Resolution: Won't Do
    • Critical
    • None
    • None
    • shared-resources
    • None
    • Secure Ephemeral CSI Volume Mounts
    • False
    • False
    • Done
    • 100
    • 100% 100%

    Description

      OCP/Telco Definition of Done
      Epic Template descriptions and documentation.

      <--- Cut-n-Paste the entire contents of this description into your new Epic --->

      Epic Goal

      • Add features to OpenShift which provide allowlist capabilities for CSIDrivers that support the "Ephemeral" volumes feature.

      Why is this important?

      • OpenShift currently limits the use of inline ephemeral CSI volumes to relatively privileged users
      • Upstream Kubernetes, on the other hand, allows all users to mount inline ephemeral CSI volumes when the PodSecurity admission plugin is enabled (default for OpenShift).

      Scenarios

      1. As a cluster admin, I want to decide which CSIDrivers are safe for otherwise restricted users when an inline ephemeral CSI volume is requested

      Acceptance Criteria

      • OpenShift cluster admins can declare which CSIDrivers are safe to use for a given PodSecurity profile using a label or annotation.
      • OpenShift developers/engineers can declare their driver is safe for a given PodSecurity profile by adding a label or annotation to a CSIDriver object.
      • Behavior of the new label/annotation is documented, referencing its relationship to Kubernetes PodSecurity profile.

      Dependencies (internal and external)

      1. Kubernetes PodSecurity

      Previous Work (Optional):

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

      Attachments

        Issue Links

          duplicates

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. STOR-746 CSI Inline Volume Support with admission plugin

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              Unassigned Unassigned
              adkaplan@redhat.com Adam Kaplan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: