Details
-
Epic
-
Resolution: Done
-
Critical
-
None
-
None
-
Storage: [UPSTREAM] Recursive Permissions 2
-
False
-
None
-
False
-
-
Not Selected
-
To Do
-
OCPSTRAT-120 - Implement RWO SELinux context mounts (TechPreview)
-
100
-
100%
-
6
Description
This Epic is to track upstream work in the Storage SIG community
This Epic is to track the SELinux specific work required. fsGroup work is not included here.
Goal:
Continue contributing to and help move along the upstream efforts to enable recursive permissions functionality.
Finish current SELinuxMountReadWriteOncePod feature upstream:
- Implement it in all volume plugins (current alpha has just iSCSI and CSI
- Add e2e test + fixing all tests that don't work well with SELinux
- Implement necessary changes in volume reconstruction to reconstruct also SELinux context.
The feature is probably going to stay alpha upstream.
Problem:
Recursive permission change takes very long for fsGroup and SELinux. For volumes with many small files Kubernetes currently does a chown for every file on the volume (due to fsGroup). Similarly for container runtimes (such as CRI-O) a chcon of every file on the volume is performed due to SCC's SELinux context. Data on the volume may already have the correct GID/SELinux context so Kubernetes needs way to detect this automatically to avoid the long delay.
Why is this important:
- A user wants to bring their pod online quickly and efficiently.
Dependencies (internal and external):
Prioritized epics + deliverables (in scope / not in scope):
Estimate (XS, S, M, L, XL, XXL):
Previous Work:
Customers:
Open questions:
Notes:
Attachments
Issue Links
- is depended on by
-
RFE-3327 Implement Selinux context mounts
-
- Accepted
-
1.
|
Docs Tracker |
|
Closed | |
Unassigned |
2.
|
PX Tracker |
|
Closed | |
Unassigned |
3.
|
QE Tracker |
|
Closed | |
Unassigned |
4.
|
TE Tracker |
|
Closed | |
Unassigned |