OSDOCS-15380# selinuxChangePolicy & fsGroupChangePolicy per namespace/pod level #98557
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * storage/understanding-persistent-storage.adoc | ||
| //* microshift_storage/understanding-persistent-storage-microshift.adoc | ||
|
|
||
| :_mod-docs-content-type: CONCEPT | ||
| [id="storage_persistent_storage_change_policy_overview_{context}"] | ||
| = Reducing pod timeouts | ||
|
|
||
| Certain volume characteristics can cause pod startup delays and timeouts. The following table lists some volume issues that can cause pod timeout with a possible solution. | ||
|
|
||
| .Possible pod startup delay issues and solutions | ||
| [cols="2",options="header"] | ||
| |=== | ||
| |Issue | ||
| |Solution | ||
|
|
||
| |Volume with lots of files | ||
| |Set `fsGroupChangePolicy` to stop recursively changing ownership and permissions to match the fsGroup specified in a pod’s `securityContext`. | ||
|
|
||
| |Using SELinux on large volumes | ||
| |Set `seLinuxChangePolicy` to avoid runtime recursively relabeling all files on a volume to match the pod’s SELinux context. | ||
| |=== | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * storage/understanding-persistent-storage.adoc | ||
| //* microshift_storage/understanding-persistent-storage-microshift.adoc | ||
|
|
||
| :_mod-docs-content-type: PROCEDURE | ||
| [id="using_fsGroup_namespace_{context}"] | ||
| = Changing fsGroup at the namespace level | ||
|
|
||
| After applying the desired setting for `fsGroupChangePolicy` at the namespace level, all subsequently created pods, and restarted pods, in that namespace inherit the setting. However, if desired, you can override the inherited `fsGroupChangePolicy` setting for individual pods. Setting `fsGroupChangePolicy` at the pod level overrides inheritance from the namespace level setting for that pod. | ||
|
|
||
| .Prerequisites | ||
|
|
||
| * Logged in to a running {product-title} cluster with administrator privileges. | ||
|
|
||
| * Access to the {product-title} console. | ||
|
|
||
| .Procedure | ||
|
|
||
| To set `fsGroupChangePolicy` per namespace: | ||
|
|
||
| . Select the desired namespace: | ||
|
|
||
| .. Click *Administration* > *Namespaces*. | ||
|
|
||
| .. On the *Namespaces* page, click the desired namespace. The *Namespace details* page appears. | ||
|
|
||
| . Add the `fsGroupChangePolicy` label to the namespace: | ||
|
|
||
| .. On the *Namespace details* page, next to *Labels*, click *Edit*. | ||
|
|
||
| .. In the *Edit labels* dialog, add the label `storage.openshift.io/fsgroup-change-policy` and set it equal to either: | ||
| + | ||
| * `OnRootMismatch`: Specifies skipping recursive permission change, thus helping to avoid pod timeout problems. | ||
| * `Always`: Specifies always changing permission and ownership of the volume when a volume is mounted. | ||
|
|
||
| .. Click *Save*. | ||
|
|
||
| .Verification | ||
| Start up a pod in the previously edited namespace and observe that the parameter `spec.securityContext.fsGroupChangePolicy` contains the value that you set for the namespace. | ||
|
|
||
| .Example pod YAML file showing `fsGroupChangePolicy` setting | ||
| [source,yaml] | ||
| ---- | ||
| securityContext: | ||
| seLinuxOptions: | ||
| level: 's0:c27,c24' | ||
| runAsNonRoot: true | ||
| fsGroup: 1000750000 | ||
| fsGroupChangePolicy: OnRootMismatch <1> | ||
| ... | ||
| ---- | ||
| <1> This value is inherited from the namespace. | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * storage/understanding-persistent-storage.adoc | ||
| //* microshift_storage/understanding-persistent-storage-microshift.adoc | ||
|
|
||
| :_mod-docs-content-type: PROCEDURE | ||
| [id="using_fsGroup_pod_{context}"] | ||
| = Changing fsGroup at the pod level | ||
|
|
||
| You can set the set the `fsGroupChangePolicy` parameter in a new or existing deployment, and then the pods that it manages will have this parameter value. You can similarly do this for a statefulset. You cannot edit an existing pod to set `fsGroupChangePolicy`; however, you can set this parameter when creating a new pod. | ||
|
|
||
| This procedure describes how to set the `fsGroupChangePolicy` parameter in an existing deployment. | ||
|
|
||
| .Prerequisites | ||
|
|
||
| * Access to the {product-title} console. | ||
|
|
||
| .Procedure | ||
|
|
||
| To set the `fsGroupChangePolicy` parameter in an existing deployment: | ||
|
|
||
| . Click *Workloads* > *Deployments*. | ||
|
|
||
| . On the *Deployment* page, click the desired deployment. | ||
|
|
||
| . On the *Deployment details* page, click the *YAML* tab. | ||
|
|
||
| . Edit the deployment's YAML file under `spec.template.spec.securityContext` as per the following example file: | ||
|
There was a problem hiding this comment. 🤖 [error] RedHat.TermsErrors: Use 'according to', 'as', or 'as in' rather than 'as per'. For more information, see RedHat.TermsErrors. |
||
| + | ||
| .Example deployment YAML file setting `fsGroupChangePolicy` | ||
| [source,yaml] | ||
| ---- | ||
| ... | ||
| spec: | ||
| replicas: 3 | ||
| selector: | ||
| matchLabels: | ||
| app: my-app | ||
| template: | ||
| metadata: | ||
| creationTimestamp: null | ||
| labels: | ||
| app: my-app | ||
| spec: | ||
| containers: | ||
| - name: container | ||
| image: 'image-registry.openshift-image-registry.svc:5000/openshift/httpd:latest' | ||
| ports: | ||
| - containerPort: 8080 | ||
| protocol: TCP | ||
| resources: {} | ||
| terminationMessagePath: /dev/termination-log | ||
| terminationMessagePolicy: File | ||
| imagePullPolicy: Always | ||
| restartPolicy: Always | ||
| terminationGracePeriodSeconds: 30 | ||
| dnsPolicy: ClusterFirst | ||
| securityContext: | ||
| fsGroupChangePolicy: OnRootMismatch <1> | ||
| ... | ||
| ---- | ||
| <1> `OnRootMismatch` specifies skipping recursive permission change, thus helping to avoid pod timeout problems. | ||
|
|
||
| . Click *Save*. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * storage/understanding-persistent-storage.adoc | ||
| //* microshift_storage/understanding-persistent-storage-microshift.adoc | ||
|
|
||
| :_mod-docs-content-type: PROCEDURE | ||
| [id="using_selinuxChangePolicy_namespace_{context}"] | ||
| = Changing seLinuxChangePolicy at the namespace level | ||
|
|
||
| After applying the desired setting for `seLinuxChangePolicy` at the namespace level, all subsequently created pods, and restarted pods, in that namespace inherit the setting. However, if desired, you can override the inherited `SELinuxChangePolicy` setting for individual pods. Setting `seLinuxChangePolicy` at the pod level overrides inheritance from the namespace level setting for that pod. | ||
|
|
||
| .Prerequisites | ||
|
|
||
| * Logged in to a running {product-title} cluster with administrator privileges. | ||
|
|
||
| * Access to the {product-title} console. | ||
|
|
||
| .Procedure | ||
|
|
||
| To set `SELinuxChangePolicy` per namespace: | ||
|
|
||
| . Select the desired namespace: | ||
|
|
||
| .. Click *Administration* > *Namespaces*. | ||
|
|
||
| .. On the *Namespaces* page, click the desired namespace. The *Namespace details* page appears. | ||
|
|
||
| . Add the `seLinuxChangePolicy` label to the namespace: | ||
|
|
||
| .. On the *Namespace details* page, next to *Labels*, click *Edit*. | ||
|
|
||
| .. In the *Edit labels* dialog, add the label `storage.openshift.io/selinux-change-policy` and set it equal to either: | ||
| + | ||
| * `MountOption`: Specifies avoiding recursive relabeling of all files by attempting to mount the volume with the correct SELinux label directly using the -o context mount option, thus helping to avoid pod timeout problems. | ||
| * `Recursive`: Specifies recursively relabeling all files on all pod volumes to the appropriate SELinux context. | ||
|
|
||
| .. Click *Save*. | ||
|
|
||
| .Verification | ||
| Start up a pod in the previously edited namespace and observe that the parameter `spec.securityContext.seLinuxChangePolicy` contains the value that you set for the namespace. | ||
|
|
||
| .Example pod YAML file showing `seLinuxChangePolicy` setting | ||
| [source,yaml] | ||
| ---- | ||
| securityContext: | ||
| seLinuxOptions: | ||
| level: 's0:c27,c19' | ||
| runAsNonRoot: true | ||
| fsGroup: 1000740000 | ||
| seccompProfile: | ||
| type: RuntimeDefault | ||
| seLinuxChangePolicy: MountOption <1> | ||
| ... | ||
| ---- | ||
| <1> This value is inherited from the namespace. | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| // Module included in the following assemblies: | ||
|
There was a problem hiding this comment. 🤖 [error] OpenShiftAsciiDoc.ModuleContainsContentType: Module is missing the '_mod-docs-content-type' variable. |
||
| // | ||
| // * storage/understanding-persistent-storage.adoc | ||
| //* microshift_storage/understanding-persistent-storage-microshift.adoc | ||
|
|
||
|
|
||
| [id="using_selinuxChangePolicy_pod_{context}"] | ||
| = Changing seLinuxChangePolicy at the pod level | ||
|
|
||
| You can set the set the `seLinuxChangePolicy` parameter in a new or existing deployment, and then the pods that it manages will have this parameter value. You can similarly do this for a statefulset. You cannot edit an existing pod to set `seLinuxChangePolicy`; however, you can set this parameter when creating a new pod. | ||
|
|
||
| This procedure describes how to set the `seLinuxChangePolicy` parameter in an existing deployment. | ||
|
|
||
| .Prerequisites | ||
|
|
||
| * Access to the {product-title} console. | ||
|
|
||
| .Procedure | ||
|
|
||
| To set the `seLinuxChangePolicy` parameter in an existing deployment: | ||
|
|
||
| . Click *Workloads* > *Deployments*. | ||
|
|
||
| . On the *Deployment* page, click the desired deployment. | ||
|
|
||
| . On the *Deployment details* page, click the *YAML* tab. | ||
|
|
||
| . Edit the deployment's YAML file under `spec.template.spec.securityContext` as per the following example file: | ||
|
There was a problem hiding this comment. 🤖 [error] RedHat.TermsErrors: Use 'according to', 'as', or 'as in' rather than 'as per'. For more information, see RedHat.TermsErrors. |
||
| + | ||
| .Example deployment YAML file setting `seLinuxChangePolicy` | ||
| [source,yaml] | ||
| ---- | ||
| ... | ||
| securityContext: | ||
| seLinuxChangePolicy: MountOption <1> | ||
| ... | ||
| ---- | ||
| <1> `MountOption` specifies skipping recursive relabeling, thus helping to avoid pod timeout problems. | ||
|
|
||
| . Click *Save*. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * storage/understanding-persistent-storage.adoc | ||
| //* microshift_storage/understanding-persistent-storage-microshift.adoc | ||
|
|
||
| :_mod-docs-content-type: CONCEPT | ||
| [id="using_selinuxChangePolicy_overview_{context}"] | ||
| = Reducing pod timeouts using seLinuxChangePolicy | ||
|
|
||
| SELinux (Security-Enhanced Linux) is a security mechanism that assigns security labels (contexts) to all objects (files, processes, network ports, etc.) on a system. These labels determine what a process can access. In {product-title}, SELinux helps prevent containers from escaping and accessing the host system or other containers. | ||
|
|
||
| ReadWRiteOnce (RWO), ReadWriteMany (RWX), and ReadWriteOncePod (RWOP) persistent volume (PV) access modes use the SELinux mount feature. This feature is driver dependent, and enabled by default in AWS EBS | ||
| ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] | ||
| , Azure Disk, GCP PD, IBM Cloud Block Storage volume, Cinder, vSphere, | ||
|
There was a problem hiding this comment. 🤖 [error] OpenShiftAsciiDoc.SuggestAttribute: Use the AsciiDoc attribute '{ibm-cloud-title}' rather than the plain text product term 'IBM Cloud', unless your use case is an exception. |
||
| endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[] | ||
| and {rh-storage-first}. For third-party drivers, contact your storage vendor. | ||
|
|
||
| :FeatureName: RWO/RWX SELinux mount | ||
| include::snippets/technology-preview.adoc[] | ||
|
|
||
| When a pod starts, the container runtime recursively relabels all files on a volume to match the pod's SELinux context. For large volumes, this can significantly increase pod startup times. | ||
|
|
||
| The `seLinuxChangePolicy` parameter addresses this performance issue by providing different strategies for applying SELinux labels to volumes. | ||
|
|
||
| The `seLinuxChangePolicy` parameter has two possible values: | ||
|
|
||
| * `MountOption`: This setting avoids the need for a recursive relabeling of all files by attempting to mount the volume with the correct SELinux label directly using the `-o context` mount option. | ||
|
|
||
| * `Recursive`: (Default) This setting recursively relabels all files on all pod volumes to the appropriate SELinux context. | ||
|
|
||
| You can set `seLinuxChangePolicy` at either the namespace or pod level. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤖 [error] RedHat.TermsErrors: Use 'many' rather than 'lots of'. For more information, see RedHat.TermsErrors.