-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do we need gidMin/gidMax in the StorageClass? #93
Comments
This seems related, but not consistent with the Also related in the volume design that discusses whether and which volume types support ownership change: https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/volumes.md#volume-changes |
Related Heketi items:
|
Thanks to @rootfs I believe we have the source:
|
After some recent discussion, it seems we can get away without gidMin and gidMax without running into any security problems. The GID on root of the GlusterFS volume does need to be known, but it is exposed as an annotation on the associated PV. For dynamically provisioned volumes, we control that value. That annotation is then added to the supplementalGroups of any Pod that attached to the GlusterFS volume's PVC. Thus, the onus of security falls on the access to the PVC and less so on the underlying filesystem. The purpose of the GID, then, is merely to grant consistent access across Pod restarts and for RWX cases. To resolve this, we can simply generate a random GID per volume. If this happens to overlap with a GID inside a Pod's containers, no additional security threat that isn't already present in the gidMin/gidMax implementation would be added. |
In PR #30 we have a proposed set of storage class parameters. As a part of creating this list, I took a look at the existing parameters accepted by the glusterfs provisioner that uses Heketi. It is unclear what the utility of the
gidMin
andgidMax
parameters are and whether they should be brought forward into the CSI driver.The text was updated successfully, but these errors were encountered: