Securing attached storage

Containers are useful for both stateless and stateful applications. Protecting attached storage is a key element of securing stateful services. Using the Container Storage Interface (CSI), OKD can incorporate storage from any storage back end that supports the CSI interface.

OKD provides plug-ins for multiple types of storage, including:

• Red Hat OpenShift Container Storage *

• AWS Elastic Block Stores (EBS) *

• AWS Elastic File System (EFS) *

• Azure File *

• OpenStack Cinder *

• VMware vSphere *

• Network File System (NFS)

• FlexVolume

• iSCSI

Plug-ins for those storage types with dynamic provisioning are marked with an asterisk (*). Data in transit is encrypted via HTTPS for all OKD components communicating with each other.

You can mount a persistent volume (PV) on a host in any way supported by your storage type. Different types of storage have different capabilities and each PV’s access modes are set to the specific modes supported by that particular volume.

For example, NFS can support multiple read/write clients, but a specific NFS PV might be exported on the server as read-only. Each PV has its own set of access modes describing that specific PV’s capabilities, such as , , and .

For block storage providers like AWS Elastic Block Store (EBS), GCE Persistent Disks, and iSCSI, OKD uses SELinux capabilities to secure the root of the mounted volume for non-privileged pods, making the mounted volume owned by and only visible to the container with which it is associated.

Additional resources

• Understanding persistent storage

• Dynamic provisioning

• Persistent storage using AWS Elastic Block Store