Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-120

Implement RWOP SELinux context mounts (TechPreview)

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 0% To Do, 0% In Progress, 100% Done
    • 0

      Epic Goal*

      Provide a long term solution to SELinux context labeling in OCP.

       
      Why is this important? (mandatory)

      As of today when selinux is enabled, the PV's files are relabeled when attaching the PV to the pod, this can cause timeout when the PVs contains lot of files as well as overloading the storage backend.

      https://access.redhat.com/solutions/6221251 provides few workarounds until the proper fix is implemented. Unfortunately these workaround are not perfect and we need a long term seamless optimised solution.

      This feature tracks the long term solution where the PV FS will be mounted with the right selinux context thus avoiding to relabel every file.

       
      Scenarios (mandatory) 

      Provide details for user scenarios including actions to be performed, platform specifications, and user personas.  

      1. Apply new context when there is none
      2. Change context of all files/folders when changing context
      3. RWO & RWX PVs
        1. ReadWriteOncePod PVs first
        2. RWX PV in a second phase

      As we are relying on mount context there should not be any relabeling (chcon) because all files / folders will inherit the context from the mount context

      More on design & scenarios in the KEP  and related epic STOR-1173

      Dependencies (internal and external) (mandatory)

      None for the core feature

      However the driver will have to set SELinuxMountSupported to true in the CSIDriverSpec to enable this feature. 

      Contributing Teams(and contacts) (mandatory) 

      Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

      • Development - STOR
      • Documentation - STOR
      • QE - STOR
      • PX - 
      • Others -

      Done - Checklist (mandatory)

      The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

      • CI Testing -  Basic e2e automationTests are merged and completing successfully
      • Documentation - Content development is complete.
      • QE - Test scenarios are written and executed successfully.
      • Technical Enablement - Slides are complete (if requested by PLM)
      • Engineering Stories Merged
      • All associated work items with the Epic are closed
      • Epic status should be “Release Pending” 

              rh-gs-gcharot Gregory Charot
              rh-gs-gcharot Gregory Charot
              Chao Yang Chao Yang
              Lisa Pettyjohn Lisa Pettyjohn
              Jan Safranek Jan Safranek
              Gregory Charot Gregory Charot
              Eric Rich Eric Rich
              Votes:
              2 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: