- 
                Notifications
    You must be signed in to change notification settings 
- Fork 5.3k
[Proposal] Allow a Pod Security Policy to managing access to the Flexvolumes #723
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] Allow a Pod Security Policy to managing access to the Flexvolumes #723
Conversation
| @Q-Lee @kubernetes/sig-auth-proposals | 
| Do we really want to go with separate  In a similar manner, there could then be  | 
| 
 We currently validate that we're covering volume sources to prevent drift between allowed and available volumes so that would have to be changed if we decided to do this (just need to keep that in mind) | 
| each volume source type is likely to have different options. for hostpath, it is the local filesystem path. for flexvolumes, it's driver (and possibly option-level control in the future). I'd rather keep different things different. | 
| In general, the proposal LGTM. | 
| 
 | 
| // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes | ||
| // is allowed in the "Volumes" field. | ||
| // +optional | ||
| AllowedFlexvolumes []AllowedFlexvolume | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit, AllowedFlexVolumes (match the case in the field)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, fixed.
| cc @kubernetes/sig-storage-proposals @kubernetes/sig-auth-proposals | 
|  | ||
| ### Validation rules | ||
|  | ||
| No validation is expected for Flexvolume driver names. API server should allow | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: driver name should be non-empty
faa311b    to
    314ccc4      
    Compare
  
    | this LGTM and parallels fine-grained control over hostpaths. control over specific flex drivers is important as they begin to be used for a wider variety of applications | 
77259b2    to
    5602388      
    Compare
  
    | Commits were squashed without changes. PTAL. | 
| This LGTM | 
| /lgtm | 
| Automatic merge from submit-queue | 
| Seems reasonable to me. | 
Automatic merge from submit-queue SCC: add AllowedFlexVolumes to manage a whitelist of allowed flexvolumes drivers Proposal: kubernetes/community#723 Trello: https://trello.com/c/YT6sNEay/61-5-sccfsi-psp-scc-flex-volume-support Examples: #15558 (comment)
Automatic merge from submit-queue (batch tested with PRs 55824, 53179). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Allow Pod Security Policy to manage access to the Flexvolumes **What this PR does / why we need it**: For proposal: https://github.com/kubernetes/community/blob/a1b9495e1b722699196ccec88d831fc850100827/contributors/design-proposals/auth/flex-volumes-drivers-psp.md (kubernetes/community#723) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note Pod Security Policy can now manage access to specific FlexVolume drivers ```
Automatic merge from submit-queue (batch tested with PRs 55824, 53179). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Allow Pod Security Policy to manage access to the Flexvolumes **What this PR does / why we need it**: For proposal: https://github.com/kubernetes/community/blob/a1b9495e1b722699196ccec88d831fc850100827/contributors/design-proposals/auth/flex-volumes-drivers-psp.md (kubernetes/community#723) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note Pod Security Policy can now manage access to specific FlexVolume drivers ``` Kubernetes-commit: f0e337cd56f36a6c9b8a0107084baa18fc20ddd8
Automatic merge from submit-queue (batch tested with PRs 55824, 53179). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Allow Pod Security Policy to manage access to the Flexvolumes **What this PR does / why we need it**: For proposal: https://github.com/kubernetes/community/blob/a1b9495e1b722699196ccec88d831fc850100827/contributors/design-proposals/auth/flex-volumes-drivers-psp.md (kubernetes/community#723) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note Pod Security Policy can now manage access to specific FlexVolume drivers ``` Kubernetes-commit: f0e337cd56f36a6c9b8a0107084baa18fc20ddd8
Automatic merge from submit-queue (batch tested with PRs 55824, 53179). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Allow Pod Security Policy to manage access to the Flexvolumes **What this PR does / why we need it**: For proposal: https://github.com/kubernetes/community/blob/a1b9495e1b722699196ccec88d831fc850100827/contributors/design-proposals/auth/flex-volumes-drivers-psp.md (kubernetes/community#723) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note Pod Security Policy can now manage access to specific FlexVolume drivers ``` Kubernetes-commit: f0e337cd56f36a6c9b8a0107084baa18fc20ddd8
Automatic merge from submit-queue (batch tested with PRs 55824, 53179). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Allow Pod Security Policy to manage access to the Flexvolumes **What this PR does / why we need it**: For proposal: https://github.com/kubernetes/community/blob/a1b9495e1b722699196ccec88d831fc850100827/contributors/design-proposals/auth/flex-volumes-drivers-psp.md (kubernetes/community#723) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note Pod Security Policy can now manage access to specific FlexVolume drivers ``` Kubernetes-commit: f0e337cd56f36a6c9b8a0107084baa18fc20ddd8
Automatic merge from submit-queue (batch tested with PRs 55824, 53179). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Allow Pod Security Policy to manage access to the Flexvolumes **What this PR does / why we need it**: For proposal: https://github.com/kubernetes/community/blob/a1b9495e1b722699196ccec88d831fc850100827/contributors/design-proposals/auth/flex-volumes-drivers-psp.md (kubernetes/community#723) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note Pod Security Policy can now manage access to specific FlexVolume drivers ``` Kubernetes-commit: f0e337cd56f36a6c9b8a0107084baa18fc20ddd8
Automatic merge from submit-queue (batch tested with PRs 55824, 53179). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Allow Pod Security Policy to manage access to the Flexvolumes **What this PR does / why we need it**: For proposal: https://github.com/kubernetes/community/blob/a1b9495e1b722699196ccec88d831fc850100827/contributors/design-proposals/auth/flex-volumes-drivers-psp.md (kubernetes/community#723) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note Pod Security Policy can now manage access to specific FlexVolume drivers ``` Kubernetes-commit: f0e337cd56f36a6c9b8a0107084baa18fc20ddd8
Automatic merge from submit-queue (batch tested with PRs 55824, 53179). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Allow Pod Security Policy to manage access to the Flexvolumes **What this PR does / why we need it**: For proposal: https://github.com/kubernetes/community/blob/a1b9495e1b722699196ccec88d831fc850100827/contributors/design-proposals/auth/flex-volumes-drivers-psp.md (kubernetes/community#723) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note Pod Security Policy can now manage access to specific FlexVolume drivers ``` Kubernetes-commit: f0e337cd56f36a6c9b8a0107084baa18fc20ddd8
Automatic merge from submit-queue (batch tested with PRs 55824, 53179). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Allow Pod Security Policy to manage access to the Flexvolumes **What this PR does / why we need it**: For proposal: https://github.com/kubernetes/community/blob/a1b9495e1b722699196ccec88d831fc850100827/contributors/design-proposals/auth/flex-volumes-drivers-psp.md (kubernetes/community#723) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note Pod Security Policy can now manage access to specific FlexVolume drivers ``` Kubernetes-commit: f0e337cd56f36a6c9b8a0107084baa18fc20ddd8
…_scc Automatic merge from submit-queue [Proposal] Allow a Pod Security Policy to managing access to the Flexvolumes This PR proposes to add the `AllowedFlexVolumes` to a PSP to control pod's access to the different Flexvolume drivers. PTAL @smarterclayton @pweil- @mfojtik
Co-authored-by: Mitch Connors <mitchconnors@gmail.com>
This PR proposes to add the
AllowedFlexVolumesto a PSP to control pod's access to the different Flexvolume drivers.PTAL @smarterclayton @pweil- @mfojtik