WadeBarnes
commented
5 years ago Thinking out-loud, this could be as simple as a test that determines the number of mounts for a PVC is exactly one and the PVC is mounted on the expected pod.
Open mitovskaol opened 5 years ago
WadeBarnes
commented
5 years ago Thinking out-loud, this could be as simple as a test that determines the number of mounts for a PVC is exactly one and the PVC is mounted on the expected pod.
stewartshea
commented
5 years ago @WadeBarnes I was thinking that we would go through the steps that someone would need to take to mount an incorrect PV, and the permissions they require to do so. Does that make sense, and from there maybe a test can be built?
WadeBarnes
commented
5 years ago @stewartshea, Yes
mitovskaol
commented
5 years ago Still in progress as of Oct 9, 2019
tosazuwa
commented
5 years ago Any updates on this, team?
WadeBarnes
commented
5 years ago @stewartshea and I have yet to put our heads together on this one.
tosazuwa
commented
5 years ago @wade, i will bring it up at our backlog refinement meeting tomorrow. Thanks
Develop a set of tests or processes to verify other pods (from the same, or separate namespace) cannot easily access the PVC of the database pod.
Given the right permissions and conditions more than one pod can mount the same volume, we're not trying to lock down that functionality, we're looking for a way to verify this functionality is not inadvertently leaked or readily available unintentionally.