Bug 1461470 - RFE - Apply correct SELinux Policies for HostPath persistent volumes in OpenShift 3.5
Summary: RFE - Apply correct SELinux Policies for HostPath persistent volumes in OpenS...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Eric Paris
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-14 13:59 UTC by Nicolas Nosenzo
Modified: 2019-06-12 11:54 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-12 11:54:44 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Nicolas Nosenzo 2017-06-14 13:59:51 UTC
1. Proposed title of this feature request
Make Openshift to correctly set the SELinux context during directory creation for hostpath volumes.

3. What is the nature and description of the request?
The configuration of persistent volumes with the type hostPath doesn't set SElinux policies on the file system and in the container.
The estimated behaviour would be, that the volume is created on node side, where the hostpath volume is claimed, with the correct SELinux policies during claiming

4. Why does the customer need this? (List the business requirements here)
They want to use the benefit from the maximum security configuration of OpenShift. Because of this, they look for SELinux integration proper working with hostpath storage on restricted pods.

5. How would the customer like to achieve this? (List the functional requirements here)
Apply the correct SELinux policies to the directory created during the first mount of the volume

7. Is there already an existing RFE upstream or in Red Hat bugzilla?
No BZ, but there is an statement about this from Kuberenetes documentation [0]:


"""
the directories created on the underlying hosts are only writable by root. You either need to run your process as root in a privileged container or modify the file permissions on the host to be able to write to a hostPath volume
"""

[0] https://kubernetes.io/docs/concepts/storage/volumes/#hostpath

Comment 5 Kirsten Newcomer 2019-06-12 11:54:44 UTC
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.


Note You need to log in before you can comment on or make changes to this bug.