Uploaded image for project: 'OpenShift Storage'
  1. OpenShift Storage
  2. STOR-1798

SELinux context mount for RWOP (Full Support)

XMLWordPrintable

    • SELinux context mount for RWOP (Full Support)
    • BU Product Work
    • False
    • None
    • False
    • Green
    • To Do
    • OCPSTRAT-1147 - Implement RWOP SELinux context mounts (Full Support)
    • OCPSTRAT-1147Implement RWOP SELinux context mounts (Full Support)
    • 0% To Do, 0% In Progress, 100% Done
    • S

      Epic Goal

      Support upstream feature "SELinux relabeling using mount options (CSIDriver API change)"" in OCP as fully supported for RWOP access mode only.

      Summary: If Pod has defined SELinux context (e.g. it uses "resticted" SCC) and it uses ReadWriteOncePod PVC and CSI driver responsible for the volume supports this feature, kubelet + the CSI driver will mount the volume directly with the correct SELinux labels. Therefore CRI-O does not need to recursive relabel the volume and pod startup can be significantly faster. We will need a thorough documentation for this.

      Why is this important?

      IMPORTANT: As of 4.15 the selinux context mount is TP and enabled by default for RWOP access mode which is also TP.  In 4.16 RWOP is promoted GA, while selinux mounts are still Beta upstream. We can't ship a GA feature that is relying on a TP sub-feature therefore we need to support selinux as fully supported while it is still beta upstream. We're continuing to work upstream to promote SELinux GA but in the meantime we need to support customers who are using RWOP PVs.

      Upstream links

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. RWOP GA is dependent on this.

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

              rhn-engineering-jsafrane Jan Safranek
              rhn-engineering-jsafrane Jan Safranek
              Chao Yang Chao Yang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: