[Proposal] Allow a Pod Security Policy to managing access to the Flexvolumes #723

php-coder · 2017-06-14T18:44:23Z

This PR proposes to add the AllowedFlexVolumes to a PSP to control pod's access to the different Flexvolume drivers.

liggitt · 2017-06-14T18:47:55Z

@Q-Lee @kubernetes/sig-auth-proposals

adelton · 2017-07-25T13:40:37Z

Do we really want to go with separate AllowedFlexDrivers? Would it be easier for users to list the allowed vendor/drivers as part of the volumes list, something like flexVolume/redhat.com/kvm, flexVolume/example.com/keytab?

In a similar manner, there could then be hostPath/var/lib/datax and similar ways to restrict scope of other volume types.

pweil- · 2017-07-25T13:45:35Z

Do we really want to go with separate AllowedFlexDrivers? Would it be easier for users to list the allowed vendor/drivers as part of the volumes list, something like flexVolume/redhat.com/kvm, flexVolume/example.com/keytab?

We currently validate that we're covering volume sources to prevent drift between allowed and available volumes so that would have to be changed if we decided to do this (just need to keep that in mind)

liggitt · 2017-07-25T15:30:33Z

each volume source type is likely to have different options. for hostpath, it is the local filesystem path. for flexvolumes, it's driver (and possibly option-level control in the future). I'd rather keep different things different.

adelton · 2017-07-27T13:25:36Z

In general, the proposal LGTM.

php-coder · 2017-08-01T16:51:02Z

AllowedFlexDrivers was renamed to AllowedFlexvolumes and type was changed from []string to []AllowedFlexvolume. This lets us expand options in the future (suggested by @liggitt).

liggitt · 2017-08-01T16:53:34Z

contributors/design-proposals/flex-volumes-drivers-psp.md

+    // Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes
+    // is allowed in the "Volumes" field.
+    // +optional
+    AllowedFlexvolumes []AllowedFlexvolume


nit, AllowedFlexVolumes (match the case in the field)

Thanks, fixed.

liggitt · 2017-08-02T14:33:32Z

cc @kubernetes/sig-storage-proposals @kubernetes/sig-auth-proposals

liggitt · 2017-08-02T14:37:03Z

contributors/design-proposals/flex-volumes-drivers-psp.md

+
+### Validation rules
+
+No validation is expected for Flexvolume driver names. API server should allow


nit: driver name should be non-empty

liggitt · 2017-08-12T00:53:56Z

this LGTM and parallels fine-grained control over hostpaths. control over specific flex drivers is important as they begin to be used for a wider variety of applications

liggitt · 2017-08-12T01:49:11Z

ping @kubernetes/sig-storage-proposals @saad-ali @childsb

php-coder · 2017-08-23T10:21:45Z

Commits were squashed without changes.

PTAL.

childsb · 2017-08-23T14:09:39Z

This LGTM

liggitt · 2017-08-23T14:10:05Z

/lgtm

k8s-github-robot · 2017-08-23T14:11:12Z

Automatic merge from submit-queue

saad-ali · 2017-08-29T17:15:08Z

Seems reasonable to me.

Automatic merge from submit-queue SCC: add AllowedFlexVolumes to manage a whitelist of allowed flexvolumes drivers Proposal: kubernetes/community#723 Trello: https://trello.com/c/YT6sNEay/61-5-sccfsi-psp-scc-flex-volume-support Examples: #15558 (comment)

Automatic merge from submit-queue (batch tested with PRs 55824, 53179). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Allow Pod Security Policy to manage access to the Flexvolumes **What this PR does / why we need it**: For proposal: https://github.com/kubernetes/community/blob/a1b9495e1b722699196ccec88d831fc850100827/contributors/design-proposals/auth/flex-volumes-drivers-psp.md (kubernetes/community#723) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note Pod Security Policy can now manage access to specific FlexVolume drivers ```

Automatic merge from submit-queue (batch tested with PRs 55824, 53179). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Allow Pod Security Policy to manage access to the Flexvolumes **What this PR does / why we need it**: For proposal: https://github.com/kubernetes/community/blob/a1b9495e1b722699196ccec88d831fc850100827/contributors/design-proposals/auth/flex-volumes-drivers-psp.md (kubernetes/community#723) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note Pod Security Policy can now manage access to specific FlexVolume drivers ``` Kubernetes-commit: f0e337cd56f36a6c9b8a0107084baa18fc20ddd8

@smarterclayton

…_scc Automatic merge from submit-queue [Proposal] Allow a Pod Security Policy to managing access to the Flexvolumes This PR proposes to add the `AllowedFlexVolumes` to a PSP to control pod's access to the different Flexvolume drivers. PTAL @smarterclayton @pweil- @mfojtik

Co-authored-by: Mitch Connors <[email protected]>

k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 14, 2017

ericchiang changed the title ~~[Poposal] Allow a Pod Security Policy to managing access to the Flexvolumes~~ [Proposal] Allow a Pod Security Policy to managing access to the Flexvolumes Jun 19, 2017

php-coder mentioned this pull request Jul 31, 2017

SCC: add AllowedFlexVolumes to manage a whitelist of allowed flexvolumes drivers openshift/origin#15558

Merged

liggitt reviewed Aug 1, 2017

View reviewed changes

liggitt added sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/storage Categorizes an issue or PR as relevant to SIG Storage. labels Aug 2, 2017

liggitt reviewed Aug 2, 2017

View reviewed changes

php-coder force-pushed the flex_volumes_drivers_scc branch from faa311b to 314ccc4 Compare August 2, 2017 14:56

k8s-github-robot assigned grodrigues3 and idvoretskyi Aug 15, 2017

k8s-github-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 15, 2017

grodrigues3 unassigned idvoretskyi and grodrigues3 Aug 16, 2017

k8s-github-robot assigned grodrigues3 and sarahnovotny Aug 16, 2017

grodrigues3 assigned liggitt and unassigned sarahnovotny and grodrigues3 Aug 17, 2017

flex-volumes-drivers-psp.md: add proposal.

5602388

php-coder force-pushed the flex_volumes_drivers_scc branch from 77259b2 to 5602388 Compare August 23, 2017 10:20

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 23, 2017

k8s-github-robot merged commit 3518e7d into kubernetes:master Aug 23, 2017

php-coder deleted the flex_volumes_drivers_scc branch August 23, 2017 14:12

wanghaoran1988 mentioned this pull request Nov 23, 2017

Allow Pod Security Policy to manage access to the Flexvolumes kubernetes/kubernetes#53179

Merged

danehans pushed a commit to danehans/community that referenced this pull request Jul 18, 2023

Update member qwertyuiop888 to albertsun0 (kubernetes#723)

b7d52e2

Co-authored-by: Mitch Connors <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Proposal] Allow a Pod Security Policy to managing access to the Flexvolumes #723

[Proposal] Allow a Pod Security Policy to managing access to the Flexvolumes #723

php-coder commented Jun 14, 2017 •

edited

Loading

liggitt commented Jun 14, 2017

adelton commented Jul 25, 2017

pweil- commented Jul 25, 2017

liggitt commented Jul 25, 2017

adelton commented Jul 27, 2017

php-coder commented Aug 1, 2017

liggitt Aug 1, 2017

php-coder Aug 1, 2017

liggitt commented Aug 2, 2017 •

edited

Loading

liggitt Aug 2, 2017

liggitt commented Aug 12, 2017 •

edited

Loading

liggitt commented Aug 12, 2017

php-coder commented Aug 23, 2017

childsb commented Aug 23, 2017

liggitt commented Aug 23, 2017

k8s-github-robot commented Aug 23, 2017

saad-ali commented Aug 29, 2017


		### Validation rules

		No validation is expected for Flexvolume driver names. API server should allow

[Proposal] Allow a Pod Security Policy to managing access to the Flexvolumes #723

[Proposal] Allow a Pod Security Policy to managing access to the Flexvolumes #723

Conversation

php-coder commented Jun 14, 2017 • edited Loading

liggitt commented Jun 14, 2017

adelton commented Jul 25, 2017

pweil- commented Jul 25, 2017

liggitt commented Jul 25, 2017

adelton commented Jul 27, 2017

php-coder commented Aug 1, 2017

liggitt Aug 1, 2017

Choose a reason for hiding this comment

php-coder Aug 1, 2017

Choose a reason for hiding this comment

liggitt commented Aug 2, 2017 • edited Loading

liggitt Aug 2, 2017

Choose a reason for hiding this comment

liggitt commented Aug 12, 2017 • edited Loading

liggitt commented Aug 12, 2017

php-coder commented Aug 23, 2017

childsb commented Aug 23, 2017

liggitt commented Aug 23, 2017

k8s-github-robot commented Aug 23, 2017

saad-ali commented Aug 29, 2017

php-coder commented Jun 14, 2017 •

edited

Loading

liggitt commented Aug 2, 2017 •

edited

Loading

liggitt commented Aug 12, 2017 •

edited

Loading