Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1148

Implement RWO/RWX SELinux context mounts (TechPreview)

XMLWordPrintable

    • Product / Portfolio Work
    • None
    • 0% To Do, 0% In Progress, 100% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • XL
    • None
    • None

      Feature Overview (aka. Goal Summary)  

      Provide a long term solution to SELinux context labeling in OCP. Continue the implementation with RWO/RWX PVs which are the most expected from the field. Start with a TechPreview support grade.

      Goals (aka. expected user outcomes)

      As of today when selinux is enabled, the PV's files are relabeled when attaching the PV to the pod, this can cause timeout when the PVs contains lot of files as well as overloading the storage backend.

      https://access.redhat.com/solutions/6221251 provides few workarounds until the proper fix is implemented. Unfortunately these workaround are not perfect and we need a long term seamless optimised solution.

      This feature tracks the long term solution where the PV FS will be mounted with the right selinux context thus avoiding to relabel every file. This covers RWO/RWX PVs, RWOP is already being implemented and should GA in 4.17.

      Requirements (aka. Acceptance Criteria):

      Should pass all regular regression CI. All the drivers we ship should have it enabled and partners may enable it if they want it to be consumed.

       

      Performances should drascillaly improved and security should remain the same as the legacy chcon approach.

       

       

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both both
      Classic (standalone cluster) Y
      Hosted control planes Y
      Multi node, Compact (three node), or Single node (SNO), or all all
      Connected / Restricted Network Both
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) all
      Operator compatibility AWS EBS, Azure Disk, GCP PD, IBM VPC block, OSP cinder, vSphere
      Backport needed (list applicable versions) no
      UI need (e.g. OpenShift Console, dynamic plugin, OCM) No need
      Other (please specify)  

      Use Cases (Optional):

      Provide details for user scenarios including actions to be performed, platform specifications, and user personas.  

      1. Apply new context when there is none
      2. Change context of all files/folders when changing context
      3. RWO & RWX PVs

      As we are relying on mount context there should not be any relabeling (chcon) because all files / folders will inherit the context from the mount context

      More on design & scenarios in the KEP

       

      Out of Scope

      RWOP PVs

      Background

      Lots of support cases due to pod taking too long to start because of selinux relabeling with chcon. This epics covers the most "unpopular" RWX case specially for PVs with lots of files and backends that are "slow" at updating metadata.

      Customer Considerations

      Most cases / concerns are on RWX, RWOP was the first step and has limited customer's impact though it is easier to implement first and gather feedback / metrics. https://access.redhat.com/solutions/6221251

      This feature track TP for RWO/RWX PVs

      Documentation Considerations

      Relnotes + table of drivers supporting it.

      Interoperability Considerations

      Partners may want to enable the feature.

              rh-gs-gcharot Gregory Charot
              rh-gs-gcharot Gregory Charot
              None
              None
              Jan Safranek Jan Safranek
              Jan Safranek Jan Safranek
              Chao Yang Chao Yang
              Lisa Pettyjohn Lisa Pettyjohn
              Eric Rich Eric Rich
              Votes:
              3 Vote for this issue
              Watchers:
              19 Start watching this issue

                Created:
                Updated:
                Resolved: