Hi,
Looking for some feedback with regards to utilisation of RBD devices as
PV’s in the area of a multi-tenanted openshift platform.
At present, it appears you need to define the secret as such within a PV
declaration
apiVersion: v1
kind: PersistentVolume
metadata:
name: ceph-pv
spec:
capacity:
storage: 2Gi
accessModes:
- ReadWriteOnce
rbd:
monitors:
- 192.168.122.133:6789 <http://192.168.122.133:6789>
pool: rbd
image: ceph-image
user: admin
secretRef:
name: ceph-secret
fsType: ext4
readOnly: false
persistentVolumeReclaimPolicy: Recycle
This means the following (unless I’m missing something!)
o) ‘ceph-secret’ needs to exist within the correct project/name-space
that wants to create a PVC against a RBD-backed-PV. I can’t see a way
to have a general secret (for example, located within the openshift
namespace)
o) On this basis – it means the contents of ceph-secret can be read by
any project that requires access to the storage system? (And thus
expose the required keys to mount any volumes within that pool space).
Or is there a way to make it so only the openshift processes (and not
the user) can read the contents of ceph-secret?
Our use case would be utilisation of openshift clusters with untrusted
clients in distinct projects, so we’re trying to ensure they can’t
access each/others storage.
Any input appreciated – cheers!
James.
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
