diff --git a/security/self-assessment.md b/security/self-assessment.md new file mode 100644 index 0000000..c56e9be --- /dev/null +++ b/security/self-assessment.md @@ -0,0 +1,53 @@ +# OpenEBS Self-assessment + +## Table of contents + +- [OpenEBS Self-assessment](#openebs-self-assessment) + - [Table of contents](#table-of-contents) + - [Metadata](#metadata) + - [Security links](#security-links) + - [Overview](#overview) + - [Background](#background) + - [Actors](#actors) + - [Actions](#actions) + +## Metadata + +### Security links + +## Overview + + +### Background + + +### Actors + +- **LocalPV Hostpath Provisioner:** A kubernetes controller which serves PVs for LocalPV HOstpath PVCs. It creates/deletes Pods and PVs. +- **LocalPV Hostpath helper:** A Pod which handles creation/deletion for a LocalPV Hostpath volume. It runs with privileged access, mounts a kubernetes hostPath. The path is pre-defined. +- **LocalPV ZFS Controller plugin:** A CSI-controller plugin which communicates with the kubernetes API server to orchestrate volume provisioning, de-provisioning, expansion, snapshot ops for ZFS volumes on the kubernetes cluster nodes. +- **LocalPV ZFS Node plugin:** A CSI-node plugin which uses a host's ZFS utils based RPC client to carry out volume provisioning, de-provisioning, expansion, snapshot ops for local ZFS volumes. It mounts hostpath directories on cluster hosts to enable communication with ZFS kernel modules and block device nodes. +- **LocalPV LVM Controller plugin:** A CSI-controller plugin which communicates with the kubernetes API server to orchestrate volume provisioning, de-provisioning, expansion, snapshot creation for LVM volumes on the kubernetes cluster nodes. +- **LocalPV LVM Node plugin:** A CSI-node plugin which uses in-built LVM RPC client to carry out volume provisioning, de-provisioning, expansion, snapshot creation for local ZFS volumes. It mounts hostpath directories on cluster hosts to enable communication with LVM kernel modules and block device nodes. +- **Replicated PV Mayastor Core Agent:** This is acts as a control-plane for a Mayastor cluster. Communitcates with other mayastor services via HTTP (gRPC). +- **Replicated PV Mayastor Etcd persistent store:** This persists the state of a Mayastor cluster. Uses replication and self-healing for redundancy and high-availability. +- **Replicated PV Mayastor HA Cluster Agent:** This is a Mayastor control-plane agent which provides highly available volume target management. This communicates to the Mayastor's core agent via HTTP (gRPC). +- **Replicated PV Mayastor HA Node Agent:** This is a Mayastor control-plane agent which mounts a hostpath directory and makes use of NVMe commands to execute volume target failovers. +- **Replicated PV Mayastor CSI Controller plugin:** This is a CSI-controller plugin which communicates with the Mayastor storage API (HTTP) and the kubernetes APIs to orchestrate volume provisioning, de-provisioning, expansion, snapshot ops for Mayastor volumes +- **Replicated PV Mayastor CSI Node plugin:** This is a CSI-node plugin which communicates with the Mayastor control-plane via HTTP (gRPC) and executes host-level volumes operations. It mounts hostpath directories for accessing sysfs APIs and kernel device events. +- **Replicated PV Mayastor IO Engine:** This is a userspace storage controller which polls for IO requests and serves a volume target for kubernetes containers. It consumes a high degree of CPU and memory resources to provide low-lantency, resilient storage. This communicates with the Mayastor control plane using HTTP (gRPC). +- **Replicated PV Mayastor IO Engine metrics exporter:** This exposes volume controller stats data in prometheus-compatible format. This communicates with IO engines using intra Pod IPC. +- **Replicated PV Mayastor Stats and Call-home plugin:** This is a plugin for reporting anonymous usage data from the kubernetes cluster. It communicates with the kubernetes API, and the Mayastor storage API to collect data. +- **Clients:** This actor interacts with an OpenEBS cluster using standard kubernetes tools and/or specialised clients for accessing storage layer functionality. This is usually a kubernetes cluster admin or a storage admin. + +### Actions + +- **PVC-PV based volume ops:** The OpenEBS cluster deployment registers provisioner plugin names with the kubernetes cluster, and serves dynamic volume provisioning, de-provisioning, expansion, snapshot handling for different block and filesystem stacks. These are meant to plug into a kubernetes cluster as a storage service. These services are accessible to kubernetes cluster clients with adequate RBAC permissions. This is governed by a cluster administrator's RBAC configuration. + +The node-level plugins run as privileged containers to access system-software level OS APIs. + +The control-plane layers make use of kubernetes primitives to ensure exclusive access to virtual storage devices: +- LocalPV storage control plane uses Kubernetes NodeAffinityLabels to pin volumes to a single cluster node's host. +- Replicated PV Mayastor uses Kuberentes VolumeAttachments to allow exclusive volume access (RWO mode) to a single kubernetes node host. + +- **Volume Access Control:** The Replicated PV CSI plugins make use of CSI volume mode SINGLE_NODE_WRITER and NVMe Reservations to ensure single-tenancy.