feat(security/self-assessment): add actors and basic actions writeup

Signed-off-by: Niladri Halder <[email protected]>

security/self-assessment.md

@@ -0,0 +1,53 @@
+# OpenEBS Self-assessment
+
+## Table of contents
+
+- [OpenEBS Self-assessment](#openebs-self-assessment)
+  - [Table of contents](#table-of-contents)
+  - [Metadata](#metadata)
+    - [Security links](#security-links)
+  - [Overview](#overview)
+    - [Background](#background)
+    - [Actors](#actors)
+    - [Actions](#actions)
+
+## Metadata
+
+### Security links
+
+## Overview
+
+
+### Background
+
+
+### Actors
+
+- **LocalPV Hostpath Provisioner:** A kubernetes controller which serves PVs for LocalPV HOstpath PVCs. It creates/deletes Pods and PVs.
+- **LocalPV Hostpath helper:** A Pod which handles creation/deletion for a LocalPV Hostpath volume. It runs with privileged access, mounts a kubernetes hostPath. The path is pre-defined.
+- **LocalPV ZFS Controller plugin:** A CSI-controller plugin which communicates with the kubernetes API server to orchestrate volume provisioning, de-provisioning, expansion, snapshot ops for ZFS volumes on the kubernetes cluster nodes.
+- **LocalPV ZFS Node plugin:** A CSI-node plugin which uses a host's ZFS utils based RPC client to carry out volume provisioning, de-provisioning, expansion, snapshot ops for local ZFS volumes. It mounts hostpath directories on cluster hosts to enable communication with ZFS kernel modules and block device nodes.
+- **LocalPV LVM Controller plugin:** A CSI-controller plugin which communicates with the kubernetes API server to orchestrate volume provisioning, de-provisioning, expansion, snapshot creation for LVM volumes on the kubernetes cluster nodes.
+- **LocalPV LVM Node plugin:** A CSI-node plugin which uses in-built LVM RPC client to carry out volume provisioning, de-provisioning, expansion, snapshot creation for local ZFS volumes. It mounts hostpath directories on cluster hosts to enable communication with LVM kernel modules and block device nodes.
+- **Replicated PV Mayastor Core Agent:** This is acts as a control-plane for a Mayastor cluster. Communitcates with other mayastor services via HTTP (gRPC).
+- **Replicated PV Mayastor Etcd persistent store:** This persists the state of a Mayastor cluster. Uses replication and self-healing for redundancy and high-availability.
+- **Replicated PV Mayastor HA Cluster Agent:** This is a Mayastor control-plane agent which provides highly available volume target management. This communicates to the Mayastor's core agent via HTTP (gRPC).
+- **Replicated PV Mayastor HA Node Agent:** This is a Mayastor control-plane agent which mounts a hostpath directory and makes use of NVMe commands to execute volume target failovers.
+- **Replicated PV Mayastor CSI Controller plugin:** This is a CSI-controller plugin which communicates with the Mayastor storage API (HTTP) and the kubernetes APIs to orchestrate volume provisioning, de-provisioning, expansion, snapshot ops for Mayastor volumes
+- **Replicated PV Mayastor CSI Node plugin:** This is a CSI-node plugin which communicates with the Mayastor control-plane via HTTP (gRPC) and executes host-level volumes operations. It mounts hostpath directories for accessing sysfs APIs and kernel device events.
+- **Replicated PV Mayastor IO Engine:** This is a userspace storage controller which polls for IO requests and serves a volume target for kubernetes containers. It consumes a high degree of CPU and memory resources to provide low-lantency, resilient storage. This communicates with the Mayastor control plane using HTTP (gRPC).
+- **Replicated PV Mayastor IO Engine metrics exporter:** This exposes volume controller stats data in prometheus-compatible format. This communicates with IO engines using intra Pod IPC.
+- **Replicated PV Mayastor Stats and Call-home plugin:** This is a plugin for reporting anonymous usage data from the kubernetes cluster. It communicates with the kubernetes API, and the Mayastor storage API to collect data.
+- **Clients:** This actor interacts with an OpenEBS cluster using standard kubernetes tools and/or specialised clients for accessing storage layer functionality. This is usually a kubernetes cluster admin or a storage admin.
+
+### Actions
+
+- **PVC-PV based volume ops:** The OpenEBS cluster deployment registers provisioner plugin names with the kubernetes cluster, and serves dynamic volume provisioning, de-provisioning, expansion, snapshot handling for different block and filesystem stacks. These are meant to plug into a kubernetes cluster as a storage service. These services are accessible to kubernetes cluster clients with adequate RBAC permissions. This is governed by a cluster administrator's RBAC configuration.
+
+The node-level plugins run as privileged containers to access system-software level OS APIs.
+
+The control-plane layers make use of kubernetes primitives to ensure exclusive access to virtual storage devices:
+- LocalPV storage control plane uses Kubernetes NodeAffinityLabels to pin volumes to a single cluster node's host.
+- Replicated PV Mayastor uses Kuberentes VolumeAttachments to allow exclusive volume access (RWO mode) to a single kubernetes node host.
+
+- **Volume Access Control:** The Replicated PV CSI plugins make use of CSI volume mode SINGLE_NODE_WRITER and NVMe Reservations to ensure single-tenancy.