-
Epic
-
Resolution: Won't Do
-
Critical
-
None
-
None
-
None
-
Secure Ephemeral CSI Volume Mounts
-
False
-
False
-
Done
-
0% To Do, 0% In Progress, 100% Done
OCP/Telco Definition of Done
Epic Template descriptions and documentation.
<--- Cut-n-Paste the entire contents of this description into your new Epic --->
Epic Goal
- Add features to OpenShift which provide allowlist capabilities for CSIDrivers that support the "Ephemeral" volumes feature.
Why is this important?
- OpenShift currently limits the use of inline ephemeral CSI volumes to relatively privileged users
- Upstream Kubernetes, on the other hand, allows all users to mount inline ephemeral CSI volumes when the PodSecurity admission plugin is enabled (default for OpenShift).
Scenarios
- As a cluster admin, I want to decide which CSIDrivers are safe for otherwise restricted users when an inline ephemeral CSI volume is requested
Acceptance Criteria
- OpenShift cluster admins can declare which CSIDrivers are safe to use for a given PodSecurity profile using a label or annotation.
- OpenShift developers/engineers can declare their driver is safe for a given PodSecurity profile by adding a label or annotation to a CSIDriver object.
- Behavior of the new label/annotation is documented, referencing its relationship to Kubernetes PodSecurity profile.
Dependencies (internal and external)
- Kubernetes PodSecurity
Previous Work (Optional):
- …
Open questions::
- …
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
- duplicates
-
-
- Closed
-