Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-6793

Provide documentation and support for integrating LDAP on RHCOS nodes in OpenShift

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • Auth, MCO, RHEL CoreOS
    • None
    • None
    • Future Sustainability
    • None
    • False
    • Hide

      None

      Show
      None
    • Red Hat OpenShift Container Platform
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Major Risks/Opportunities:

      • Risks:
      • Failure to provide a standardized solution forces customers to rely on complex and unsupported workarounds, increasing the risk of misconfiguration and security vulnerabilities.
      • Inconsistent UID/GID management can lead to application errors, data corruption, and compliance issues.
      • Increased operational overhead for administrators managing UID/GID mappings across disparate systems.
      • Opportunities:
      • Providing native LDAP integration for UID/GID management will significantly improve the enterprise readiness of OpenShift.
      • This feature will streamline operations, reduce administrative overhead, and enhance security for customers with existing LDAP infrastructure.
      • Adoption of this feature will increase customer confidence in OpenShift's ability to integrate with their existing enterprise systems.

      Overall Purpose: To enable OpenShift to seamlessly integrate with existing LDAP infrastructure for the management of container UIDs and GIDs, providing a centralized, consistent, and supported approach that reduces operational complexity and enhances security for enterprise customers.

      Today, OpenShift assigns UIDs and GIDs to containers based on security context information configured within the OpenShift project. This approach creates a disconnect for enterprise customers that rely on LDAP as the single source of truth for user and group identity management. These customers face significant challenges in reconciling OpenShift's internal UID/GID management with their centralized LDAP systems, leading to increased administrative overhead and potential inconsistencies.

      Many of our cusomers require a solution that allows OpenShift to assign UIDs and GIDs to containers by querying their existing LDAP servers. Ideally, the OpenShift project name (or a configurable equivalent) would be used to retrieve the corresponding UID/GID information from LDAP. This would enable these organizations to maintain all UID/GID mappings within their LDAP infrastructure, ensuring consistency, simplifying administration, and improving compliance.

      The lack of a supported mechanism for LDAP-based UID/GID management forces customers to implement complex and potentially fragile workarounds, such as:

      • Manually pre-defining UID/GID ranges within OpenShift namespaces.
      • Creating corresponding LDAP entries with matching UIDs/GIDs.
      • Developing custom scripts or tools to synchronize UID/GID information between OpenShift and LDAP.

      These workarounds are time-consuming, error-prone, and difficult to maintain, especially at scale. They also fall outside of Red Hat's support scope, leaving customers vulnerable to potential issues and unsupported configurations.

      Requested Enhancement:

      We request the development and formal support of a mechanism that enables OpenShift to integrate with LDAP for container UID/GID management. This enhancement should include the following:

      • LDAP Querying: OpenShift should be able to query an LDAP server to retrieve UID/GID assignments for containers, based on a configurable identifier (e.g., project name, service account).
      • Configuration: Provide OpenShift administrators with a clear and well-documented method to configure the LDAP connection and define the mapping between OpenShift entities and LDAP entries.
      • Integration with Security Contexts: Integrate the LDAP UID/GID mapping with OpenShift's security context constraints (SCCs) to ensure secure and controlled access to resources.
      • CSI Integration: Ensure that this feature is compatible with OpenShift Container Storage Interface (CSI) drivers, allowing for consistent UID/GID management when accessing persistent volumes.
      • Documentation: Provide comprehensive documentation in the OpenShift Administration Guide, detailing the configuration, usage, and best practices for LDAP UID/GID management.

       

      Benefits:

      • Centralized Identity Management: Enables customers to maintain a single source of truth for UID/GID information in their existing LDAP systems, simplifying administration and reducing the risk of inconsistencies.
      • Streamlined Operations: Reduces the operational overhead associated with managing UID/GID mappings across disparate systems, freeing up administrators to focus on other tasks.
      • Enhanced Security: Improves security by ensuring that containers run with the correct UIDs and GIDs, reducing the risk of unauthorized access to resources.
      • Improved Compliance: Helps customers meet compliance requirements by providing a consistent and auditable approach to UID/GID management.
      • Increased Customer Confidence: Provides customers with a supported and reliable solution, increasing their confidence in OpenShift's ability to integrate with their existing enterprise infrastructure.
      • Reduced Risk: Minimizes the risk of misconfiguration and security vulnerabilities associated with unsupported workarounds.
      • Consistency: Aligns UID/GID management with other first-class OpenShift features.

              rhn-support-mrussell Mark Russell
              lstanton@redhat.com Luke Stanton
              None
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                None
                None