○

Temp Local Network

● emptyDir ● hostPath ● GlusterFS● CephRBD● gitRepo● secret● flocker● gcePersistentDisk● AWS ElasticBlockStore (EBS)● NFS● iSCSI● Fibre Channel● Cinder

○

○

VS.

Cattle Storage

SALLYBOB

GLOBAL Persistent Volume (PV123) Persistent Volume (PV456)

POD

CLAIM REFERENCE

PERSISTENT VOLUME CLAIM (PVC001)

POD

CLAIM REFERENCE

PERSISTENT VOLUME CLAIM (PVC002)

POD

CLAIM REFERENCE

PERSISTENT VOLUME CLAIM (PVC003)

kind: PersistentVolumeClaimapiVersion: v1metadata: name: dyn-prov-claim annotations: volume.alpha.kubernetes.io/storage-class: aws-ebsspec: accessModes: - ReadWriteOnce resources: requests: storage: 3Gi

Available Provisioners:

OpenStack Cinderkubernetes.io/cinder

AWS Elastic Block Store (EBS)kubernetes.io/aws-ebs

GCE Persistent Disk (gcePD)kubernetes.io/gce-pd

PROVISION:● MANUAL● DYNAMIC

AVAILABLE

BOUNDPV + PVC =

RELEASEDPV + PVC =

FAILURE

POD CLAIM REQUEST

CLAIM DELETED

PENDING

RETAIN PV(default policy)

volume cannot mount

CrashBackLoop

PROVISION:● MANUAL● DYNAMIC

AVAILABLE

BOUNDPV + PVC =

RELEASEDPV + PVC =

FAILURE

POD CLAIM REQUEST

POD DELETED

PENDING

FAILURE

RETAIN PV

POD CLAIM REQUEST

volume cannot mount

CrashBackLoop

Timing / vague state

Pod Security Policy (Upstream) Security Context Constraints (SCC) (OpenShift)

● PSP provides an interface for the security types but enforcement doesn’t exist today

● No admission controller

SCCs are objects that define a set of conditions that a pod must run with in order to be accepted into the system. They allow an administrator to control the following:

1. Running of privileged containers.2. Capabilities a container can request to be added.3. Use of host directories as volumes.4. The SELinux context of the container.5. The user ID.6. The use of host namespaces and networking.7. Allocating an FSGroup that owns the pod’s volumes8. Configuring allowable supplemental groups

● SCC defined by namespace and can be restricted to specific users

# ls -ld /opt/nfs # on NFS serverdrwxrwx---. 2 root 1234 4096 Oct 30 15:27 /opt/nfs

kind: Podmetadata: name: nginx-nfs-testspec: containers: - name: nginx-nfs-test image: fedora/nginx ports: - name: web containerPort: 80 volumeMounts: - name: nginx-nfs mountPath: /usr/share/nginx/html/test securityContext: supplementalGroups: [1234] volumes: - name: nginx-nfs persistentVolumeClaim claimName: nfs-claim

Currently the list of volumes which support ownership management includes:

● AWS Elastic Block Store● OpenStack Cinder● GCE Persistent Disk● iSCSI● emptyDir● Ceph RBD● gitRepo

apiVersion: v1kind: Podmetadata: name: rbd-webspec: containers: - name: web image: nginx ports: - name: web containerPort: 80 volumeMounts: - name: ceph-rbd mountPath: "/usr/share/nginx/html" securityContext: fsGroup: 1234 volumes: - name: ceph-rbd rbd: monitors: - 192.168.122.133:6789 pool: rbd image: foo user: admin secretRef: name: ceph-secret fsType: ext4 readOnly: false

Currently the list of volumes which support SELinux management includes:

● AWS Elastic Block Store● OpenStack Cinder● GCE Persistent Disk● iSCSI● emptyDir● Ceph RBD● gitRepo● Fibre Channel

apiVersion: v1kind: Podmetadata: name: ebs-webspec: containers: - name: web image: nginx ports: - name: web containerPort: 80 volumeMounts: - name: ebs-volume mountPath: "/usr/share/nginx/html" securityContext: seLinuxOptions: level: "s0:c123,c456" volumes: - name: ebs-volume awsElasticBlockStore: volumeID: <VOLUME ID>