Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3327

Implement Selinux context mounts

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Not Selected
    • 0
    • 0% 0%

    Description

      1. Proposed title of this feature request

      Selinux context mounts

      2. What is the nature and description of the request?

      As of today when selinux is enabled, the PV's files are relabeled when attaching the PV to the pod, this can cause timeout when the PVs contains lot of files as well as overloading the storage backend.

      https://access.redhat.com/solutions/6221251 provides few workarounds until the proper fix is implemented. Unfortunately these workaround are not perfect and we need a long term seamless optimised solution.

      This RFE tracks the long term solution where the PV FS will be mounted with the right selinux context thus avoiding to relabel every file.

      3. Why does the customer need this? (List the business requirements here)

      Selinux is a absolute must have when it comes to security enforcement. The current selinux implementation (labelling files) brings some serious issues with PV's attachment and can potentially cause problems to the storage backend.

      4. List any affected packages or components.

      OCP storage

      KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling

      Current targets: 4.13 Alpha - 4.14 beta/tech preview - GA will depends on beta/TP release date

      Attachments

        Issue Links

          depends on

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-1148 Implement RWO/RWX SELinux context mounts (TechPreview)

          • Critical - To be worked on immediately following BLOCKER issues.
          • In Progress

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-1147 Implement RWOP SELinux context mounts (Full Support)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • In Progress

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-120 Implement RWOP SELinux context mounts (TechPreview)

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-14864 Add a known issue about Selinux relabeling issue

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-612 Automate workaround for SELinux relabeling issue for large volumes

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          links to

          Web Link When using Persistent Volumes with high file counts in OpenShift, why do pods fail to start or take an excessive amount of time to achieve "Ready" state?

          Activity

            People

              rh-gs-gcharot Gregory Charot
              rh-gs-gcharot Gregory Charot
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: