Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1356293 - [RFE] Need Kerberised mount of volume into container [NEEDINFO]
[RFE] Need Kerberised mount of volume into container
Status: NEW
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE (Show other bugs)
3.2.1
x86_64 Linux
medium Severity high
: ---
: ---
Assigned To: Mike Barrett
Johnny Liu
:
: 1332840 (view as bug list)
Depends On:
Blocks: 1267746
  Show dependency treegraph
 
Reported: 2016-07-13 18:20 EDT by cmilsted
Modified: 2018-06-20 04:20 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
fcami: needinfo? (mbarrett)
dcaldwel: needinfo? (mbarrett)


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3255971 None None None 2017-12-11 08:58 EST

  None (edit)
Description cmilsted 2016-07-13 18:20:31 EDT
Description of problem:

We need a security model where volumes are secured per project, i.e. the PV claim happens and then the security and mounting is all controlled at the pod level not the container host. This way the container host cannot see any of the data in the volume in the pod.

The requirement the customers in FSI industry have is that some data is very sensitive. Having a generic fuse mount to the container host (even if this is kerberised) is something that they will struggle to get signed off by their security teams.

Some thoughts would be a sidecar model or keycloak style solution where the volume is encrypted to the pod and the project contains a secret to unlock this. 


Version-Release number of selected component (if applicable):

3.2+


How reproducible:

Easily. Kerberos secured NFS cannot be mounted.


Steps to Reproduce:
1. Setup Kerberised NFS export.
2. Create a PV from this
3. Try to mount PV into POD

Actual results:


Expected results:


Additional info:
Comment 3 Josep 'Pep' Turro Mauri 2016-07-21 09:24:28 EDT
*** Bug 1332840 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.