csm icon indicating copy to clipboard operation
csm copied to clipboard

Published 20 hours ago verified publisher icon dell

[FEATURE]: Security Feature for Mount request

Open aki318is opened this issue 3 years ago • 3 comments

  1. Request Feature Karavi Authorization should have a authorization feature regarding the mount request. The Kubernetes Pods should not be able to mount PVs which are claimed by the other k8s clusters, so the Karavi Authorization should deny the existing PV mount request from the Pods which do not call PVC for target PV.

  2. Issue In the multi-tenancy CaaS environment , there are no feature of tenant isolation on the CSI Block storage based on Dell EMC Storage. So logically, the Pods can mount PV which is provisioned by the PVC which the other k8s cluster issued. This would be security whole. This will prevent to be chosen Dell EMC storage for the MEC in 5G platform or CSP's CaaS Service Platform.

aki318is avatar Aug 05 '21 03:08 aki318is

@aki318is: Thank you for submitting this issue!

The issue is currently awaiting triage. Please make sure you have given us as much context as possible.

If the maintainers determine this is a relevant issue, they will remove the needs-triage label and assign an appropriate priority label.

We want your feedback! If you have any questions or suggestions regarding our contributing process/workflow, please reach out to us at [email protected].

ioeicicdsvc avatar Aug 05 '21 03:08 ioeicicdsvc

@aki318is thank you for the feature request. We are looking for clarification here: How would a PV be exposed to a different K8S cluster? Taking PowerFlex as an example, do you mean mapping the storage volume to another SDC that is associated to another K8S cluster (tenant)? In that case, the tenant would need access to the storage system itself to perform the mapping operation, bypassing the driver.
Or are you referring to a single K8S cluster hosting multiple tenants?

hoppea2 avatar Nov 23 '21 19:11 hoppea2

@hoppea2 Thank you for the investigation for this request. I think ordinary k8s environment is built/running on the virtualized environment, the bare metal k8s environment must be rare in the real world. For example, the most of the RHOSP is running on the vSphere. So, the one host is serving multiple k8s clusters. So, the storage LUN masking/mapping feature does not work for access control for the LUNs from the k8s clusters. Because storage masking/mapping feature is only defining the access control between the LUNs and the Hosts.

aki318is avatar Nov 24 '21 01:11 aki318is