Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-2135

Allow setting storageSecurityPolicy per namespace (GA)

XMLWordPrintable

    • Product / Portfolio Work
    • None
    • 0% To Do, 0% In Progress, 100% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • M
    • None

      Feature Overview (aka. Goal Summary)  

      Find and productise a way to configure fsGroupChangePolicy and selinuxChangepolicy per namespace

      Goals (aka. expected user outcomes)

      The default value of fsGroupChangePolicy is always leading to performances problems when there are a lots of file. It is possible to set it to OnRootMismatch to limit the issue but this is only possible at the workload (pod/deployment/etc) forcing users to remember about it. 

      This feature will simplify user experience by allowing admins to set the fsGroupChangePolicy on a per NS basis. Changing the default in k8s/OCP has been rejected; this epic is an alternative acceptable by customers.

      This applies to new workloads only NOT to already running ones. However when restarting pods, they will inherit the NS level value.

      We want to use this feature to also drive necessary changes so as customers can use same label/annotation on per-namespace basis to set selinuxChangePolicy.

      Implementation:

      use labels on namespace

      storage.openshift.io/fsgroup-change-policy

      storage.openshift.io/selinux-change-policy

      Requirements (aka. Acceptance Criteria):

       

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both y
      Classic (standalone cluster) y
      Hosted control planes y
      Multi node, Compact (three node), or Single node (SNO), or all y
      Connected / Restricted Network y
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) all
      Operator compatibility n/a
      Backport needed (list applicable versions) N
      UI need (e.g. OpenShift Console, dynamic plugin, OCM) N
      Other (please specify)  

      Use Cases (Optional):

      As an OCP admin, I want to define the fsGroupChangePolicy or selinuxChangePolicy on a per namespace basis

      Out of Scope

      UI, already running workloads.

      Background

      The default value of fsGroupChangePolicy is always leading to performances problems when there are a lots of file. It is possible to set it to OnRootMismatch to limit the issue but this is only possible at the workload (pod/deployment/etc) forcing users to remember about it. The same applies even more with Selinux context, this feature will also cover the new selinux context mount with selinuxChangePolicy.

      Customer Considerations

      we should not change the global cluster level default as it could break some clusters. This is a opt in feature only

      Documentation Considerations

      Document how to enable the feature and define the fsGroupChangePolicy & selinuxChangePolicy per namespace. Mention that it does not affect existing workloads. Users can always override fsGroupChangePolicy in their workload's specs

      Interoperability Considerations

      Applies to all

              rh-gs-gcharot Gregory Charot
              rh-gs-gcharot Gregory Charot
              None
              None
              Hemant Kumar Hemant Kumar
              Hemant Kumar Hemant Kumar
              Chao Yang Chao Yang
              Lisa Pettyjohn Lisa Pettyjohn
              Eric Rich Eric Rich
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: