The containers SHOULD ONLY be able to access the mass storage and directories necessary for operation.
Applications can access persistent volumes (PVs) and temporary (ephemeral) storage in OpenShift. Persisted volumes are connected as network storage, ephemeral storage serves primarily as volatile, short-lived mass storage and is allocated within the container file system. This configures which PV can be reached and the use of the ephemeral storage is separated per pod. This means that each pod has its own volatile mass storage. Volumes can be limited in size.
Permissions SHOULD be granted explicitly only if they are needed.
OpenShift implements the principle of least privileges. The definition is made via an explicit configuration at the deployment level.
If the container runtime includes local storage for a container, the access rights in the file system SHOULD be restricted to the container's service account.
By default, no local storage is included. For reasons of reliability, this is explicitly not recommended.
If network storage is used, the permissions SHOULD be set on the network storage itself.
The network storage dictates the permissions. OpenShift supports this with the dynamically assigned UID/GID of the projects (clients).
sluetze
commented
1 month ago