-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(security/self-assessment): add actors and basic actions writeup
Signed-off-by: Niladri Halder <[email protected]>
- Loading branch information
Showing
1 changed file
with
49 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # OpenEBS Self-assessment | ||
|
|
||
| ## Table of contents | ||
|
|
||
| - [OpenEBS Self-assessment](#openebs-self-assessment) | ||
| - [Table of contents](#table-of-contents) | ||
| - [Metadata](#metadata) | ||
| - [Security links](#security-links) | ||
| - [Overview](#overview) | ||
| - [Background](#background) | ||
| - [Actors](#actors) | ||
| - [Actions](#actions) | ||
|
|
||
| ## Metadata | ||
|
|
||
| ### Security links | ||
|
|
||
| ## Overview | ||
|
|
||
|
|
||
| ### Background | ||
|
|
||
|
|
||
| ### Actors | ||
|
|
||
| - **LocalPV Hostpath Provisioner:** A kubernetes controller which serves PVs for LocalPV HOstpath PVCs. It creates/deletes Pods and PVs. | ||
| - **LocalPV Hostpath helper:** A Pod which handles creation/deletion for a LocalPV Hostpath volume. It runs with privileged access, mounts a kubernetes hostPath. The path is pre-defined. | ||
| - **LocalPV ZFS Controller plugin:** A CSI-controller plugin which communicates with the kubernetes API server to orchestrate volume provisioning, de-provisioning, expansion, snapshot ops for ZFS volumes on the kubernetes cluster nodes. | ||
| - **LocalPV ZFS Node plugin:** A CSI-node plugin which uses a host's ZFS utils based RPC client to carry out volume provisioning, de-provisioning, expansion, snapshot ops for local ZFS volumes. It mounts hostpath directories on cluster hosts to enable communication with ZFS kernel modules and block device nodes. | ||
| - **LocalPV LVM Controller plugin:** A CSI-controller plugin which communicates with the kubernetes API server to orchestrate volume provisioning, de-provisioning, expansion, snapshot creation for LVM volumes on the kubernetes cluster nodes. | ||
| - **LocalPV LVM Node plugin:** A CSI-node plugin which uses in-built LVM RPC client to carry out volume provisioning, de-provisioning, expansion, snapshot creation for local ZFS volumes. It mounts hostpath directories on cluster hosts to enable communication with LVM kernel modules and block device nodes. | ||
| - **Replicated PV Mayastor Core Agent:** This is acts as a control-plane for a Mayastor cluster. Communitcates with other mayastor services via HTTP (gRPC). | ||
| - **Replicated PV Mayastor Etcd persistent store:** This persists the state of a Mayastor cluster. Uses replication and self-healing for redundancy and high-availability. | ||
| - **Replicated PV Mayastor HA Cluster Agent:** This is a Mayastor control-plane agent which provides highly available volume target management. This communicates to the Mayastor's core agent via HTTP (gRPC). | ||
| - **Replicated PV Mayastor HA Node Agent:** This is a Mayastor control-plane agent which mounts a hostpath directory and makes use of NVMe commands to execute volume target failovers. | ||
| - **Replicated PV Mayastor CSI Controller plugin:** This is a CSI-controller plugin which communicates with the Mayastor storage API (HTTP) and the kubernetes APIs to orchestrate volume provisioning, de-provisioning, expansion, snapshot ops for Mayastor volumes | ||
| - **Replicated PV Mayastor CSI Node plugin:** This is a CSI-node plugin which communicates with the Mayastor control-plane via HTTP (gRPC) and executes host-level volumes operations. It mounts hostpath directories for accessing sysfs APIs and kernel device events. | ||
| - **Replicated PV Mayastor IO Engine:** This is a userspace storage controller which polls for IO requests and serves a volume target for kubernetes containers. It consumes a high degree of CPU and memory resources to provide low-lantency, resilient storage. This communicates with the Mayastor control plane using HTTP (gRPC). | ||
| - **Replicated PV Mayastor IO Engine metrics exporter:** This exposes volume controller stats data in prometheus-compatible format. This communicates with IO engines using intra Pod IPC. | ||
| - **Replicated PV Mayastor Stats and Call-home plugin:** This is a plugin for reporting anonymous usage data from the kubernetes cluster. It communicates with the kubernetes API, and the Mayastor storage API to collect data. | ||
| - **Clients:** This actor interacts with an OpenEBS cluster using standard kubernetes tools and/or specialised clients for accessing storage layer functionality. This is usually a kubernetes cluster admin or a storage admin. | ||
|
|
||
| ### Actions | ||
|
|
||
| - **PVC-PV based volume ops:** The OpenEBS cluster deployment registers provisioner plugin names with the kubernetes cluster, and serves dynamic volume provisioning, de-provisioning, expansion, snapshot handling for different block and filesystem stacks. These are meant to plug into a kubernetes cluster as a storage service. These services are accessible to kubernetes cluster clients with adequate RBAC permissions. This is governed by a cluster administrator's RBAC configuration. The node-level plugins run as privileged containers to access system-software level OS APIs. The control-plane layers make use of kubernetes primitives to ensure exclusive access to virtual storage devices: | ||
| - LocalPV storage control plane uses Kubernetes NodeAffinityLabels to pin volumes to a single cluster node's host. | ||
| - Replicated PV Mayastor uses Kuberentes VolumeAttachments to allow exclusive volume access (RWO mode) to a single kubernetes node host. | ||
|
|
||
| - **Volume Access Control:** The Replicated PV CSI plugins make use of CSI volume mode SINGLE_NODE_WRITER and NVMe Reservations to ensure single-tenancy. |