1. Proposed title of this feature request Make Openshift to correctly set the SELinux context during directory creation for hostpath volumes. 3. What is the nature and description of the request? The configuration of persistent volumes with the type hostPath doesn't set SElinux policies on the file system and in the container. The estimated behaviour would be, that the volume is created on node side, where the hostpath volume is claimed, with the correct SELinux policies during claiming 4. Why does the customer need this? (List the business requirements here) They want to use the benefit from the maximum security configuration of OpenShift. Because of this, they look for SELinux integration proper working with hostpath storage on restricted pods. 5. How would the customer like to achieve this? (List the functional requirements here) Apply the correct SELinux policies to the directory created during the first mount of the volume 7. Is there already an existing RFE upstream or in Red Hat bugzilla? No BZ, but there is an statement about this from Kuberenetes documentation [0]: """ the directories created on the underlying hosts are only writable by root. You either need to run your process as root in a privileged container or modify the file permissions on the host to be able to write to a hostPath volume """ [0] https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers. Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant. This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.