Open JohnStrunk opened 6 years ago
This seems related, but not consistent with the fsGroup
parameter in a container or pod's securityContext
. The info on fsGroup points to https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/volume-ownership-management.md
Also related in the volume design that discusses whether and which volume types support ownership change: https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/volumes.md#volume-changes
Related Heketi items:
Thanks to @rootfs I believe we have the source:
After some recent discussion, it seems we can get away without gidMin and gidMax without running into any security problems. The GID on root of the GlusterFS volume does need to be known, but it is exposed as an annotation on the associated PV. For dynamically provisioned volumes, we control that value. That annotation is then added to the supplementalGroups of any Pod that attached to the GlusterFS volume's PVC. Thus, the onus of security falls on the access to the PVC and less so on the underlying filesystem. The purpose of the GID, then, is merely to grant consistent access across Pod restarts and for RWX cases.
To resolve this, we can simply generate a random GID per volume. If this happens to overlap with a GID inside a Pod's containers, no additional security threat that isn't already present in the gidMin/gidMax implementation would be added.
In PR #30 we have a proposed set of storage class parameters. As a part of creating this list, I took a look at the existing parameters accepted by the glusterfs provisioner that uses Heketi. It is unclear what the utility of the
gidMin
andgidMax
parameters are and whether they should be brought forward into the CSI driver.