-
Epic
-
Resolution: Done
-
Critical
-
None
-
None
-
Storage: [UPSTREAM] Recursive Permissions 2
-
Upstream
-
6
-
False
-
None
-
False
-
Not Selected
-
To Do
-
OCPSTRAT-120 - Implement RWOP SELinux context mounts (TechPreview)
-
OCPSTRAT-120Implement RWOP SELinux context mounts (TechPreview)
-
0% To Do, 0% In Progress, 100% Done
This Epic is to track upstream work in the Storage SIG community
This Epic is to track the SELinux specific work required. fsGroup work is not included here.
Goal:
Continue contributing to and help move along the upstream efforts to enable recursive permissions functionality.
Finish current SELinuxMountReadWriteOncePod feature upstream:
- Implement it in all volume plugins (current alpha has just iSCSI and CSI
- Add e2e test + fixing all tests that don't work well with SELinux
- Implement necessary changes in volume reconstruction to reconstruct also SELinux context.
The feature is probably going to stay alpha upstream.
Problem:
Recursive permission change takes very long for fsGroup and SELinux. For volumes with many small files Kubernetes currently does a chown for every file on the volume (due to fsGroup). Similarly for container runtimes (such as CRI-O) a chcon of every file on the volume is performed due to SCC's SELinux context. Data on the volume may already have the correct GID/SELinux context so Kubernetes needs way to detect this automatically to avoid the long delay.
Why is this important:
- A user wants to bring their pod online quickly and efficiently.
Dependencies (internal and external):
Prioritized epics + deliverables (in scope / not in scope):
Estimate (XS, S, M, L, XL, XXL):
Previous Work:
Customers:
Open questions:
Notes: