You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Class Data Sharing may help improve startup time and memory consumption for both masters and agents (jnlp).
For masters, it would mean mounting a folder from the host (https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) and use it as the cache. It requires some changes in scc/podsecuritypolicy as today hostPath volumes cannot be mounted by masters' service accounts. It's not wise to give more permissions to this service account until we split masters and agents as specified in #5.
For agents, it's TBD. Regarding security, it may be unsafe to allow agents to mount hostPath (e.g. /var/lib/docker).
Note: PodSecurityPolicy offers fine grain policy that let specifies a whitelist of host paths that are allowed to be used by hostPath volumes. PodSecurityPolicies are not available on OpenShift 3.9 (but is a beta feature in 3.11). There is only SecurityContextConstraint which provide hostPath access on a all or nothing basis
The text was updated successfully, but these errors were encountered:
Class Data Sharing may help improve startup time and memory consumption for both masters and agents (jnlp).
For masters, it would mean mounting a folder from the host (https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) and use it as the cache. It requires some changes in scc/podsecuritypolicy as today hostPath volumes cannot be mounted by masters' service accounts. It's not wise to give more permissions to this service account until we split masters and agents as specified in #5.
For agents, it's TBD. Regarding security, it may be unsafe to allow agents to mount hostPath (e.g. /var/lib/docker).
Note:
PodSecurityPolicy offers fine grain policy that let specifies a whitelist of host paths that are allowed to be used by hostPath volumes. PodSecurityPolicies are not available on OpenShift 3.9 (but is a beta feature in 3.11). There is only SecurityContextConstraint which provide hostPath access on a all or nothing basis
The text was updated successfully, but these errors were encountered: