Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-406

Enhancement Proposal - Validating Webhook for Shared Resource CSI Driver

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Undefined
    • None
    • None
    • None
    • Sprint 215, Sprint 216

    Description

      Spike User Stories

      As a developer using the Shared Resource CSI Driver
      I want a webhook that ensures `readOnly: true` is set on volumes for the Shared Resource CSI Driver
      So that pods are not stuck in "Creating" state waiting for a mount that will never succeed.

      As an OpenShift operator maintainer or cluster administrator
      I want to reserve the `openshift-` prefix for SharedSecrets and SharedConfigMaps
      So that future OpenShift operators can create system-level shared resources.

      As an OpenShift operator maintainer or cluster administrator
      I want to ensure that the content in a SharedSecret or SharedConfigMap is valid
      So that consumers of shared resources consume valid content.

      Acceptance Criteria

      • OpenShift Enhancement Proposal addressing spike user stories
      • Agreed to design as to how we are going to deploy this component:
        • Validating webhook managed by the cluster storage operator?
        • Admission plugin inside openshift-apiserver?
      • Ensure proposal meets "Tech Preview" requirements for new OCP components, especially wrt observability ("operate first").

      Notes

      David Eads and Jan Safranek should be assigned as approvers to this proposal (Auth and Storage representatives). Unclear if any other individuals/teams should be included. Perhaps review from Monitoring for observability bits (ex - questions about metrics and alerting).

      Attachments

        Issue Links

          blocks

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. BUILD-391 Bootstrap Shared Resource CSIDriver Validating Webhook

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. BUILD-392 Shared Resources: Require readOnly: true on Pod Admission

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. BUILD-407 Reserved Name Prefix for SharedSecret/SharedConfigMaps

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          GitHub openshift/enhancements#1056: BUILD-406: shared resource validating admission EP

          Activity

            People

              gmontero@redhat.com Gabe Montero
              adkaplan@redhat.com Adam Kaplan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: