Hide Forgot
Additional info: This bug tracks the following use case as per the CNS 3.4 Content Plan: https://docs.google.com/document/d/1SrbUxavmmdbLn7FT2nhOAlX0Q3VTsqPCZyx6wV3gjn0/edit# Use Case #1 - As an end user, I want to set the security access to my volumes. Document concept and task information regarding how to set the Kubernetes’ securityContext option for all the containers within the OCP pod.
Hi Bhavana...per feedback from Luis: This will mostly be handled by dynamic provisioning. Humble is your main contact. Once a group id has been set for the volume, then the instructions on Section 19.3.4.1 in [1] can be followed to setup the application. [1] https://access.redhat.com/documentation/en/openshift-container-platform/3.3/paged/installation-and-configuration/chapter-19-configuring-persistent-storage#install-config-persistent-storage-persistent-storage-glusterfs Also, please include Erin Boyd in any review of the content. Thanks.
Hi Humble, Following is the updated link shared by Anjana: https://access.redhat.com/documentation/en/openshift-container-platform/3.3/single/installation-and-configuration/#complete-example-using-gusterfs-defining-glusterfs-volume-access Let me know if I can use it in the guide.
(In reply to Bhavana from comment #8) > Hi Humble, > > Following is the updated link shared by Anjana: > > https://access.redhat.com/documentation/en/openshift-container-platform/3.3/ > single/installation-and-configuration/#complete-example-using-gusterfs- > defining-glusterfs-volume-access > > Let me know if I can use it in the guide. LGTM.
Hi Humble, Here is the updated link with the details regarding volume security for statically provisioned volumes: http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform-branch-dynamic_provisioning_volume_security/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#idm140189474689728 I would like to understand if we are going ahead with "Volume Security for Dynamically Provisioned Volumes" or not. Based on that I can either move the bug on_qa or wait for more details wrt dynamically provisioned volumes. Thanks.
(In reply to Bhavana from comment #10) > Hi Humble, > > Here is the updated link with the details regarding volume security for > statically provisioned volumes: > > http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc- > Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform- > branch-dynamic_provisioning_volume_security/lastSuccessfulBuild/artifact/tmp/ > en-US/html-single/index.html#idm140189474689728 > > I would like to understand if we are going ahead with "Volume Security for > Dynamically Provisioned Volumes" or not. > > Based on that I can either move the bug on_qa or wait for more details wrt > dynamically provisioned volumes. > > Thanks. We will have this feature in CNS 3.4. Lets work on the documentation.
(In reply to Humble Chirammal from comment #11) > (In reply to Bhavana from comment #10) > > Hi Humble, > > > > Here is the updated link with the details regarding volume security for > > statically provisioned volumes: > > > > http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc- > > Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform- > > branch-dynamic_provisioning_volume_security/lastSuccessfulBuild/artifact/tmp/ > > en-US/html-single/index.html#idm140189474689728 > > > > I would like to understand if we are going ahead with "Volume Security for > > Dynamically Provisioned Volumes" or not. > > > > Based on that I can either move the bug on_qa or wait for more details wrt > > dynamically provisioned volumes. > > > > Thanks. > > We will have this feature in CNS 3.4. Lets work on the documentation. Sure Humble, Can you please share the steps to set up Volume Security for Dynamically Provisioned Volumes Thanks
The dynamic provisioner introduced 2 more new parameters called gidMin and gidMax which allows the admin to configure GID range for the storage class. For ex: gidMin: "2000" gidMax: "4000" If mentioned, the dynamic provisioner will allocate a GID from this range. While deleting the claim, the GID will be released from it. Using gluster dynamic provisioner create a PVC , for ex: claim1 Once the PV Is bound, attach the PVC to the pod , this pod has to be spawned in non privilged mode. Then go to gluster pvc mount point in the pod. Start writing to the volume. Expected result : The write from the pod should work without issues. Validate the mount permissions, it will be "775" on this mount point. The GID is internally created and passed to the POD as supplemental Group ID. Please feel free to ping if you need any more details on this.
Hi Humble, Based on comment 13 I have the following queries. I am not sure if all of these are valid, but you can be the judge of that :) 1) If the admin has to configure GID range for the storage class, should this be added in the storage class file? If yes can you please provide a sample storage class file with the GID details added. 2) Is the PVC file same as the one that was added in section 5.2.1.3. Creating a Persistent Volume Claim, or are there changes to it and should that be included in the flow of steps. 3) Based on your comment "Once the PV Is bound, attach the PVC to the pod , this pod has to be spawned in non privilged mode." Is this pod file same as the step 1, in 5.2.1.5. Using the Claim in a Pod, or will there be changes here wrt to the GIDs 4) I need the steps for the following too: Then go to gluster pvc mount point in the pod. Start writing to the volume Are these the steps one performs after verifying that the PV is mounted in the container ? ( oc rsh busybox) Link for reference: http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform-branch-master/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html
Bhavna, Can you please directly point to the doc where I can edit ?
Hi Humble, Following is the link to the google doc, where I have added the same queries so that it is easier to refer: https://docs.google.com/a/redhat.com/document/d/1ezbk2vVRG7WvVH0qvYqNceX5wOckhTYnbfOXmz0WyJs/edit?usp=sharing You can add the details here.
Bhavana, clearing needinfo based on our f2f discussion.
Hi Humble, Based on my meeting with you and Ashiq, I have added the details regarding volume security for dynamically provisioned volumes under section 5.3: http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform-branch-master/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#idm140149139570160 Let me know if you have any further comments or does this looks ok. Based on which I shall move this bug on_qa Thanks
Bhavana, we also need to mention when deleting the claim, the GID of the PV is released from the pool.
Hi Humble, I have added the details suggested: http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform-branch-master/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#idm140179497694816 moving the bug on_qa
The document looks good, I have a minor change to suggest. I'll move the bug to verified once the change is made. step 4 under Volume security for dynamically provisioned volumes, # oc rsh busybox # id For example: # id uid=1000060000 gid=0(root) groups=0(root),2001 should be, # oc rsh busybox $ id For example: $ id uid=1000060000 gid=0(root) groups=0(root),2001
The changes are made as suggested: http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Gluster_Storage-3.4-Container_Native_Storage_with_OpenShift_Platform-branch-master/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#idm140606131396304
doc content looks good to me, moving the bug to verified.