Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do we need gidMin/gidMax in the StorageClass? #93

Open
JohnStrunk opened this issue Nov 8, 2018 · 4 comments
Open

Do we need gidMin/gidMax in the StorageClass? #93

JohnStrunk opened this issue Nov 8, 2018 · 4 comments

Comments

@JohnStrunk
Copy link
Member

In PR #30 we have a proposed set of storage class parameters. As a part of creating this list, I took a look at the existing parameters accepted by the glusterfs provisioner that uses Heketi. It is unclear what the utility of the gidMin and gidMax parameters are and whether they should be brought forward into the CSI driver.

@JohnStrunk JohnStrunk self-assigned this Nov 8, 2018
@JohnStrunk
Copy link
Member Author

This seems related, but not consistent with the fsGroup parameter in a container or pod's securityContext. The info on fsGroup points to https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/volume-ownership-management.md

Also related in the volume design that discusses whether and which volume types support ownership change: https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/volumes.md#volume-changes

@JohnStrunk
Copy link
Member Author

@JohnStrunk
Copy link
Member Author

Thanks to @rootfs I believe we have the source:

@jarrpa
Copy link
Contributor

jarrpa commented Nov 12, 2018

After some recent discussion, it seems we can get away without gidMin and gidMax without running into any security problems. The GID on root of the GlusterFS volume does need to be known, but it is exposed as an annotation on the associated PV. For dynamically provisioned volumes, we control that value. That annotation is then added to the supplementalGroups of any Pod that attached to the GlusterFS volume's PVC. Thus, the onus of security falls on the access to the PVC and less so on the underlying filesystem. The purpose of the GID, then, is merely to grant consistent access across Pod restarts and for RWX cases.

To resolve this, we can simply generate a random GID per volume. If this happens to overlap with a GID inside a Pod's containers, no additional security threat that isn't already present in the gidMin/gidMax implementation would be added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants