Hi,
Looking for some feedback with regards to utilisation of RBD devices as PV's in
the area of a multi-tenanted openshift platform.
At present, it appears you need to define the secret as such within a PV
declaration
apiVersion: v1
kind: PersistentVolume
metadata:
name: ceph-pv
spec:
capacity:
storage: 2Gi
accessModes:
- ReadWriteOnce
rbd:
monitors:
- 192.168.122.133:6789
pool: rbd
image: ceph-image
user: admin
secretRef:
name: ceph-secret
fsType: ext4
readOnly: false
persistentVolumeReclaimPolicy: Recycle
This means the following (unless I'm missing something!)
o) 'ceph-secret' needs to exist within the correct project/name-space that
wants to create a PVC against a RBD-backed-PV. I can't see a way to have a
general secret (for example, located within the openshift namespace)
o) On this basis - it means the contents of ceph-secret can be read by any
project that requires access to the storage system? (And thus expose the
required keys to mount any volumes within that pool space). Or is there a way
to make it so only the openshift processes (and not the user) can read the
contents of ceph-secret?
Our use case would be utilisation of openshift clusters with untrusted clients
in distinct projects, so we're trying to ensure they can't access each/others
storage.
Any input appreciated - cheers!
James.
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
