Add self-assessment doc #183
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
niladrih
requested review from
tiagolobocastro,
orville-wright,
avishnu,
Abhinandan-Purkait and
Alex130469
niladrih
force-pushed
the
security-self-assessment
branch
from
f185e6a to
f1d83ab
Compare
avishnu
reviewed
Feb 5, 2025
avishnu
reviewed
Feb 5, 2025
avishnu
reviewed
Feb 5, 2025
Signed-off-by: Niladri Halder <[email protected]>
niladrih
force-pushed
the
security-self-assessment
branch
from
f1d83ab to
3be0ddf
Compare
…tures, secure dev practices Signed-off-by: Niladri Halder <[email protected]>
niladrih
changed the title
|
hmm shouldn't this go here? |
Yes, I'll eventually raise the PR there. Wanted to get an internal round of review. |
| - Uses CSI volume modes and NVMe Reservations to guarantee exclusive volume access. | ||
|
|
||
| - **Secure Communication:** | ||
| - Utilizes secure HTTP/gRPC channels between control-plane and node components. |
There was a problem hiding this comment.
The REST doesn't have TLS. The gRPC layer doesn't have it also?
There was a problem hiding this comment.
Not the io-engine gRPC
Comment on lines
+61
to
+64
| Built-in data redundancy across nodes | ||
| Automated failure detection and recovery | ||
| Dynamic scaling of storage resources | ||
| Advanced storage features typically found in enterprise storage systems |
There was a problem hiding this comment.
Suggested change
| Built-in data redundancy across nodes | |
| Automated failure detection and recovery | |
| Dynamic scaling of storage resources | |
| Advanced storage features typically found in enterprise storage systems | |
| - Built-in data redundancy across nodes | |
| - Automated failure detection and recovery | |
| - Dynamic scaling of storage resources | |
| - Advanced storage features typically found in enterprise storage systems |
| - **Replicated PV Mayastor Core Agent:** This is acts as a control-plane for a Mayastor cluster. Communitcates with other mayastor services via HTTP (gRPC). | ||
| - **Replicated PV Mayastor Etcd persistent store:** This persists the state of a Mayastor cluster. Uses replication and self-healing for redundancy and high-availability. | ||
| - **Replicated PV Mayastor HA Cluster Agent:** This is a Mayastor control-plane agent which provides highly available volume target management. This communicates to the Mayastor's core agent via HTTP (gRPC). | ||
| - **Replicated PV Mayastor HA Node Agent:** This is a Mayastor control-plane agent which mounts a hostpath directory and makes use of NVMe commands to execute volume target failovers. |
There was a problem hiding this comment.
Detection, reporting and replacement of failed target paths. I think we should mention these somewhere
There was a problem hiding this comment.
Why are these required?
There was a problem hiding this comment.
Because I am not sure what do you mean by makes use of nvme commands to execute failover. There are multiple actors involved in the whole process. The bit which HA node agent does is what I listed above.
There was a problem hiding this comment.
It interacts with csi node with grpc over uds and with cluster agent over grpc.
| - **Replicated PV Mayastor HA Cluster Agent:** This is a Mayastor control-plane agent which provides highly available volume target management. This communicates to the Mayastor's core agent via HTTP (gRPC). | ||
| - **Replicated PV Mayastor HA Node Agent:** This is a Mayastor control-plane agent which mounts a hostpath directory and makes use of NVMe commands to execute volume target failovers. | ||
| - **Replicated PV Mayastor CSI Controller plugin:** This is a CSI-controller plugin which communicates with the Mayastor storage API (HTTP) and the Kubernetes APIs to orchestrate volume provisioning, de-provisioning, expansion, snapshot operations for Mayastor volumes | ||
| - **Replicated PV Mayastor CSI Node plugin:** This is a CSI-node plugin which communicates with the Mayastor control-plane via HTTP (gRPC) and executes host-level volumes operations. It mounts hostpath directories for accessing sysfs APIs and kernel device events. |
There was a problem hiding this comment.
kernel device events not sure if it does that, what do you mean by this? Also it's main aim is to do csi operations orchestrated by the kubelet?
There was a problem hiding this comment.
It uses udevadm to talk to udev. Udev listens to kernel device events.
There was a problem hiding this comment.
Isn't that HA node agent you are talking about?
| - **Replicated PV Mayastor HA Node Agent:** This is a Mayastor control-plane agent which mounts a hostpath directory and makes use of NVMe commands to execute volume target failovers. | ||
| - **Replicated PV Mayastor CSI Controller plugin:** This is a CSI-controller plugin which communicates with the Mayastor storage API (HTTP) and the Kubernetes APIs to orchestrate volume provisioning, de-provisioning, expansion, snapshot operations for Mayastor volumes | ||
| - **Replicated PV Mayastor CSI Node plugin:** This is a CSI-node plugin which communicates with the Mayastor control-plane via HTTP (gRPC) and executes host-level volumes operations. It mounts hostpath directories for accessing sysfs APIs and kernel device events. | ||
| - **Replicated PV Mayastor IO Engine:** This is a userspace storage controller which polls for IO requests and serves a volume target for Kubernetes containers. It consumes a high degree of CPU and memory resources to provide low-lantency, resilient storage. This communicates with the Mayastor control plane using HTTP (gRPC). |
There was a problem hiding this comment.
serves a volume target --> serves volume targets
| - **Replicated PV Mayastor CSI Controller plugin:** This is a CSI-controller plugin which communicates with the Mayastor storage API (HTTP) and the Kubernetes APIs to orchestrate volume provisioning, de-provisioning, expansion, snapshot operations for Mayastor volumes | ||
| - **Replicated PV Mayastor CSI Node plugin:** This is a CSI-node plugin which communicates with the Mayastor control-plane via HTTP (gRPC) and executes host-level volumes operations. It mounts hostpath directories for accessing sysfs APIs and kernel device events. | ||
| - **Replicated PV Mayastor IO Engine:** This is a userspace storage controller which polls for IO requests and serves a volume target for Kubernetes containers. It consumes a high degree of CPU and memory resources to provide low-lantency, resilient storage. This communicates with the Mayastor control plane using HTTP (gRPC). | ||
| - **Replicated PV Mayastor IO Engine metrics exporter:** This exposes volume controller stats data in prometheus-compatible format. This communicates with IO engines using intra Pod IPC. |
There was a problem hiding this comment.
it exports pool metrics as well right?
| - **Replicated PV Mayastor IO Engine:** This is a userspace storage controller which polls for IO requests and serves a volume target for Kubernetes containers. It consumes a high degree of CPU and memory resources to provide low-lantency, resilient storage. This communicates with the Mayastor control plane using HTTP (gRPC). | ||
| - **Replicated PV Mayastor IO Engine metrics exporter:** This exposes volume controller stats data in prometheus-compatible format. This communicates with IO engines using intra Pod IPC. | ||
| - **Replicated PV Mayastor Stats and Call-home plugin:** This is a plugin for reporting anonymous usage data from the Kubernetes cluster. It communicates with the Kubernetes API, and the Mayastor storage API to collect data. | ||
| - **Clients:** This actor interacts with an OpenEBS cluster using standard Kubernetes tools and/or specialised clients for accessing storage layer functionality. This is usually a Kubernetes cluster admin or a storage admin. |
There was a problem hiding this comment.
I don't see the mayastor api rest being listed here
There was a problem hiding this comment.
I've missed that one. I'll add it.
|
|
||
| - **Privileged Container Operations:** | ||
| - **What Happens:** | ||
| - Node-level plugins, including those for LocalPV and Replicated PV Mayastor, run as privileged containers. This enables them to access system-level OS APIs and execute low-level operations such as direct I/O on block devices and hostPath mounts. |
There was a problem hiding this comment.
LocalPV --> Local PV. Let's follow this throughout the docs.
| Extensive unit and integration tests validate functionality and secure behavior. | ||
|
|
||
| - **Automated CI/CD Pipelines:** | ||
| Secure pipelines enforce coding standards, run vulnerability scans, and perform dependency checks before deployment. |
There was a problem hiding this comment.
run vulnerability scans --> we don't do that on CI/CD, rather it's done by the dependabot
There was a problem hiding this comment.
We do it on linux-utils. But yes, we don't directly do vulnerability scans.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves #152