gluster / gluster-csi-driver

DEPRECATED: Gluster Container Storage Interface (CSI) driver
GNU Lesser General Public License v3.0
57 stars 30 forks source link

Do we need gidMin/gidMax in the StorageClass? #93

Open JohnStrunk opened 6 years ago

JohnStrunk commented 6 years ago

In PR #30 we have a proposed set of storage class parameters. As a part of creating this list, I took a look at the existing parameters accepted by the glusterfs provisioner that uses Heketi. It is unclear what the utility of the gidMin and gidMax parameters are and whether they should be brought forward into the CSI driver.

JohnStrunk commented 6 years ago

This seems related, but not consistent with the fsGroup parameter in a container or pod's securityContext. The info on fsGroup points to https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/volume-ownership-management.md

Also related in the volume design that discusses whether and which volume types support ownership change: https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/volumes.md#volume-changes

JohnStrunk commented 6 years ago

Related Heketi items:

JohnStrunk commented 6 years ago

Thanks to @rootfs I believe we have the source:

jarrpa commented 6 years ago

After some recent discussion, it seems we can get away without gidMin and gidMax without running into any security problems. The GID on root of the GlusterFS volume does need to be known, but it is exposed as an annotation on the associated PV. For dynamically provisioned volumes, we control that value. That annotation is then added to the supplementalGroups of any Pod that attached to the GlusterFS volume's PVC. Thus, the onus of security falls on the access to the PVC and less so on the underlying filesystem. The purpose of the GID, then, is merely to grant consistent access across Pod restarts and for RWX cases.

To resolve this, we can simply generate a random GID per volume. If this happens to overlap with a GID inside a Pod's containers, no additional security threat that isn't already present in the gidMin/gidMax implementation would be added.