Open suh209 opened 3 years ago
reasonerjt
commented
3 years ago I'm new to the restriction in NetApps.
Is it possible the AD authenticated user can grant permission to other users?
I think you need to work with your IT admin to figure out a way to make NFS volume be readable by UID/GID 10000/10000
xaleeks
commented
3 years ago also never worked with netapp specifically, but is there a way to mount the volumes with credentials somehow for client access. I can't imagine this being a Harbor only problem, how do other headless services get authenticated access to nfs volumes. or cifs volumes for ex
But this is definitely something we should look into if he can't get this to work @reasonerjt
suh209
commented
3 years ago I'm new to the restriction in NetApps.
Is it possible the AD authenticated user can grant permission to other users?
I think you need to work with your IT admin to figure out a way to make NFS volume be readable by
UID/GID 10000/10000
I went through that path, but our Cyber Security guys denied that. I asked them to create a Service Account (which will have access to NFS) with UID/GID 10000, which was denied due to security concern. I also requested to created a NFS volume which can be accessed using local account. This is also denied due to security concern. So I am basically out of option.
suh209
commented
3 years ago also never worked with netapp specifically, but is there a way to mount the volumes with credentials somehow for client access. I can't imagine this being a Harbor only problem, how do other headless services get authenticated access to nfs volumes. or cifs volumes for ex
But this is definitely something we should look into if he can't get this to work @reasonerjt
As I said in my above answer, there are two possible solution of this problem -
Both of those proposals are denied by the cyber security team.
reasonerjt
commented
3 years ago @suh209 could you give me a concrete example like how other container-based applications can work for you with such settings in netapps?
@xaleeks My first reaction is that I don't think we can support such a level of customization in OSS unless we remove all security restrictions from dockerfile, then the docker-compose model will violate a lot of security restrictions for other users.
github-actions[bot]
commented
2 years ago This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
Hi,
My Harbor deployment is not K8S deployment. I am using it for two years now for production. Recently it has gained a huge popularity inside my organisation, so the storage is always getting full. I now need to migrate it's storage to NetApp NFS volumes. The problem that I am facing is, my NetApp NFS volumes need authentication from my company's Active Directory for access. In short, only AD authenticated users can have access to the NFS volumes.
As almost all the Harbor containers run their services as 'harbor' user/group with UID/GID 10000/10000, containers like registry or registryctl do not have access to NFS volume.
Can you please suggest any solution?