Containers are useful for both stateless and stateful applications. Protecting attached storage is a key element of securing stateful services.
OpenShift Container Platform provides plug-ins for multiple types of storage, including NFS, AWS Elastic Block Stores (EBS), GCE Persistent Disks, GlusterFS, iSCSI, RADOS (Ceph) and Cinder. Data in transit is encrypted via HTTPS for all OpenShift Container Platform components communicating with each other.
You can mount PersistentVolume
(PV) on a host in any way supported by your
storage type. Different types of storage have different capabilities and each
PV’s access modes are set to the specific modes supported by that particular
volume.
For example, NFS can support multiple read/write clients, but a specific NFS PV
might be exported on the server as read-only. Each PV has its own set of access
modes describing that specific PV’s capabilities, such as ReadWriteOnce
,
ReadOnlyMany
, and ReadWriteMany
.
OpenShift Container Platform Architecture: Additional Concepts → Storage
OpenShift Container Platform Configuring Clusters: Configuring Persistent Storage → Volume Security
For shared storage providers like NFS, Ceph, and Gluster, the PV registers its group ID (GID) as an annotation on the PV resource. Then, when the PV is claimed by the pod, the annotated GID is added to the supplemental groups of the pod, giving that pod access to the contents of the shared storage.
OpenShift Container Platform Configuring Clusters
For block storage providers like AWS Elastic Block Store (EBS), GCE Persistent Disks, and iSCSI, OpenShift Container Platform uses SELinux capabilities to secure the root of the mounted volume for non-privileged pods, making the mounted volume owned by and only visible to the container with which it is associated.
OpenShift Container Platform Configuring Clusters