Skip to content

Commit 790e487

Browse files
xenolinuxxenolinux
authored
Merge pull request #85569 from xenolinux/k8s-csi-iso-sec
OSDOCS#12418: KubeVirt CSI Security and Isolation for hosted clusters
2 parents fc648f9 + ae8d157 commit 790e487

File tree

2 files changed

+18
-0
lines changed

2 files changed

+18
-0
lines changed

hosted_control_planes/hcp-manage/hcp-manage-virt.adoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ include::modules/hcp-virt-csi-snapshot.adoc[leveloffset=+2]
4343
include::modules/hcp-virt-multiple-snapshots.adoc[leveloffset=+2]
4444
include::modules/hcp-virt-root-volume.adoc[leveloffset=+2]
4545
include::modules/hcp-virt-image-caching.adoc[leveloffset=+2]
46+
include::modules/hcp-virt-storage-security-isolation.adoc[leveloffset=+2]
4647

4748
[role="_additional-resources"]
4849
.Additional resources

modules/hcp-virt-storage-security-isolation.adoc

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * hosted_control_planes/hcp-manage/hcp-manage-virt.adoc
4+
5+
:_mod-docs-content-type: CONCEPT
6+
[id="hcp-virt-storage-security-isolation_{context}"]
7+
= KubeVirt CSI storage security and isolation
8+
9+
KubeVirt Container Storage Interface (CSI) extends the storage capabilities of the underlying infrastructure cluster to hosted clusters. The CSI driver ensures secure and isolated access to the infrastructure storage classes and hosted clusters by using the following security constraints:
10+
11+
* The storage of a hosted cluster is isolated from the other hosted clusters.
12+
13+
* Worker nodes in a hosted cluster do not have a direct API access to the infrastructure cluster. The hosted cluster can provision storage on the infrastructure cluster only through the controlled KubeVirt CSI interface.
14+
15+
* The hosted cluster does not have access to the KubeVirt CSI cluster controller. As a result, the hosted cluster cannot access arbitrary storage volumes on the infrastructure cluster that are not associated with the hosted cluster. The KubeVirt CSI cluster controller runs in a pod in the hosted control plane namespace.
16+
17+
* Role-based access control (RBAC) of the KubeVirt CSI cluster controller limits the persistent volume claim (PVC) access to only the hosted control plane namespace. Therefore, KubeVirt CSI components cannot access storage from the other namespaces.

0 commit comments

Comments
 (0)