Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-389

Shared Resources: Validate Resource Admission


    • Shared Resources: Validate Resource Admission
    • False
    • False
    • Yellow
    • Done
    • OCPSTRAT-201 - Enable sharing ConfigMaps and Secrets across namespaces [GA]
    • OCPSTRAT-201Enable sharing ConfigMaps and Secrets across namespaces [GA]
    • 0% To Do, 0% In Progress, 100% Done

      OCP/Telco Definition of Done
      Epic Template descriptions and documentation.

      <--- Cut-n-Paste the entire contents of this description into your new Epic --->

      Epic Goal

      • Require volumes that use the Shared Resources CSI driver to specify readOnly: true in order to create the pod
      • Reserve the "openshift-" prefix for SharedSecrets and SharedConfigMaps, such that these resources can only be created by OpenShift operators. We must do this while the driver is tech preview.

      Why is this important?

      • readOnly: true must be specified in order for the driver to mount the volume correctly. If this is not set, the volume mount is rejected and the pod will be stuck in a Pending/Initializing state.
      • A validating admission webhook will ensure that the pods won't be created in such a state, improving user experience.
      • Openshift operators may want/need to create SharedSecrets and SharedConfigMaps so they can be used as system level resources. For example, Insights Operator can automatically create a SharedSecret for the Simple Content Access cert.


      1. As a developer, I want to consume shared Secrets and ConfigMaps in my workloads so that I can have access to shared credentials and configuration.
      2. As a cluster admin, I want the Insights operator to automatically create a SharedSecret for my cluster's simple content access certificate.
      3. As a cluster admin/SRE, I want OpenShift to use SharedConfigMaps to distribute cluster certificate authorities so that data is not duplicated in ConfigMaps across my cluster.

      Acceptance Criteria

      • Pods must have readOnly: true set to use the shared resource CSI Driver - admission should be rejected if this is not set.
      • Documentation updated to reflect this requirement.
      • Users (admins?) are not allowed to create SharedSecrets or SharedConfigMaps with the "openshift-" prefix.

      Dependencies (internal and external)

      1. ART - to create payload image for the webhook
      2. Arch review for the enhancement proposal (Apiserver/control plane team)

      Previous Work (Optional):

      1. BUILD-293 - Shared Resources tech preview

      Open questions::

      1. From email exchange with David Eads:  "Thinking ahead to how we'd like to use this in builds once we're GA, are we likely to choose openshift-etc-pki-entitlement as one of our well-known names?  If we do, what sort of validation (if any) would we like to provide on the backing secret and does that require any new infrastructure?"

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

            cdaley Corey Daley
            adkaplan@redhat.com Adam Kaplan
            0 Vote for this issue
            5 Start watching this issue