Uploaded image for project: 'OpenShift Storage'
  1. OpenShift Storage
  2. STOR-2370

Allow setting storageSecurityPolicy per namespace (GA)

XMLWordPrintable

    • Allow setting fsGroupChangePolicy per namespace
    • Product / Portfolio Work
    • OCPSTRAT-2135Allow setting storageSecurityPolicy per namespace (GA)
    • 0% To Do, 0% In Progress, 100% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • Green
    • None
    • 5

      Epic Goal*

      What is our purpose in implementing this?  What new capability will be available to customers?

      Find and productise a way to configure fsGroupChangePolicy and selinuxChangepolicy per namespace

      Implementation:

      use labels on namespace

      storage.openshift.io/fsgroup-change-policy

      storage.openshift.io/selinux-change-policy

       

      New pods which don't already have fsgroup or selinux policy already configured will inherit the value defined at the namespace level.

       
      Why is this important? (mandatory)

      What are the benefits to the customer or Red Hat?   Does it improve security, performance, supportability, etc?  Why is work a priority?

      The default value of fsGroupChangePolicy is always leading to performances problems when there are a lots of file. It is possible to set it to OnRootMismatch to limit the issue but this is only possible at the workload (pod/deployment/etc) forcing users to remember about it. 

      This feature will simplify user experience by allowing admins to set the fsGroupChangePolicy on a per NS basis. Changing the default in k8s/OCP has been rejected; this epic is an alternative acceptable by customers.

      This applies to new workloads only NOT to already running ones.

      We want to use this feature to also drive necessary changes so as customers can use same label/annotation on per-namespace basis to set selinuxChangePolicy.

      Scenarios (mandatory) 

      Provide details for user scenarios including actions to be performed, platform specifications, and user personas.  

      1. As an OCP admin I would like to be able to configure fsGroupChangePolicy on a per NS basis.
      2. As an OCP admin I would like to be able to configure selinuxChangePolicy on a per NS basis.

       
      Dependencies (internal and external) (mandatory)

      What items must be delivered by other teams/groups to enable delivery of this epic. 

      Contributing Teams(and contacts) (mandatory) 

      Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

      • Development - STOR
      • Documentation - STOR
      • QE - STOR
      • PX - 
      • Others -

      Acceptance Criteria (optional)

      Provide some (testable) examples of how we will know if we have achieved the epic goal.  

      Drawbacks or Risk (optional)

      Reasons we should consider NOT doing this such as: limited audience for the feature, feature will be superseded by other work that is planned, resulting feature will introduce substantial administrative complexity or user confusion, etc.

      Done - Checklist (mandatory)

      The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

      • CI Testing -  Basic e2e automationTests are merged and completing successfully
      • Documentation - Content development is complete.
      • QE - Test scenarios are written and executed successfully.
      • Technical Enablement - Slides are complete (if requested by PLM)
      • Engineering Stories Merged
      • All associated work items with the Epic are closed
      • Epic status should be “Release Pending” 

              hekumar@redhat.com Hemant Kumar
              rh-gs-gcharot Gregory Charot
              None
              Wei Duan
              Chao Yang Chao Yang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 4 weeks
                  4w
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 weeks
                  4w