Rook provides security for CephNFS server clusters through two high-level features: user ID mapping and user authentication.
All features in this document are experimental and may not support upgrades to future versions.
Some configurations of these features may break the ability to mount NFS storage to pods via PVCs. The NFS CSI driver may not be able to mount exports for pods when ID mapping is configured.
User ID mapping¶
User ID mapping allows the NFS server to map connected NFS client IDs to a different user domain, allowing NFS clients to be associated with a particular user in your organization. For example, users stored in LDAP can be associated with NFS users and vice versa.
ID mapping via SSSD¶
SSSD is the System Security Services Daemon. It can be used to provide user ID mapping from a number of sources including LDAP, Active Directory, and FreeIPA. Currently, only LDAP has been tested.
The Ceph container image must have the
sssd-client package installed to support SSSD. This package is included in
quay.io/ceph/ceph in v17.2.4 and newer. For older Ceph versions you may build your own Ceph image which adds
RUN yum install sssd-client && yum clean all.
SSSD requires a configuration file in order to configure its connection to the user ID mapping system (e.g., LDAP). The file follows the
sssd.conf format documented in its man pages.
Methods of providing the configuration file are documented in the NFS CRD security section.
Recommendations: - The SSSD sidecar only requires the namespace switch (a.k.a. "nsswitch" or "nss"). We recommend enabling only the
nss service to lower CPU usage. - NFS-Ganesha does not require user enumeration. We recommend leaving this option unset or setting
enumerate = false to speed up lookups and reduce RAM usage. - NFS exports created via documented methods do not require listing all members of groups. We recommend setting
ignore_group_members = true to speed up LDAP lookups. Only customized exports that set
manage_gids need to consider this option.
sssd.conf file is shown below.
The SSSD configuration file may be omitted from the CephNFS spec if desired. In this case, Rook will not set
/etc/sssd/sssd.conf in any way. This allows you to manage the
sssd.conf file yourself however you wish. For example, you may build it into your custom Ceph container image, or use the Vault agent injector to securely add the file via annotations on the CephNFS spec (passed to the NFS server pods).
User authentication allows NFS clients and the Rook CephNFS servers to authenticate with each other to ensure security.
Authentication through Kerberos¶
Kerberos is the authentication mechanism natively supported by NFS-Ganesha. With NFSv4, individual users are authenticated and not merely client machines.
Kerberos authentication requires configuration files in order for the NFS-Ganesha server to authenticate to the Kerberos server (KDC). The requirements are two-parted: 1. one or more kerberos configuration files that configures the connection to the Kerberos server. This file follows the
krb5.conf format documented in its man pages. 2. a keytab file that provides credentials for the service principal that NFS-Ganesha will use to authenticate with the Kerberos server.
Methods of providing the configuration files are documented in the NFS CRD security section.
Recommendations: - Rook configures Kerberos to log to stderr. We suggest removing logging sections from config files to avoid consuming unnecessary disk space from logging to files.
A sample Kerberos config file is shown below.
The Kerberos config files (
configFiles) may be omitted from the Ceph NFS spec if desired. In this case, Rook will not add any config files to
/etc/krb5.conf.rook/, but it will still configure Kerberos to load any config files it finds there. This allows you to manage these files yourself however you wish.
Similarly, the keytab file (
keytabFile) may be omitted from the CephNFS spec if desired. In this case, Rook will not set
/etc/krb5.keytab in any way. This allows you to manage the
krb5.keytab file yourself however you wish.
As an example for either of the above cases, you may build files into your custom Ceph container image or use the Vault agent injector to securely add files via annotations on the CephNFS spec (passed to the NFS server pods).
NFS service principals¶
The Kerberos service principal used by Rook's CephNFS servers to authenticate with the Kerberos server is built up from 3 components: 1. the configured from
spec.security.kerberos.principalName that acts as the service name 2. the hostname of the server on which NFS-Ganesha is running which is in turn built up from the namespace and name of the CephNFS resource, joined by a hyphen. e.g.,
rooknamespace-nfsname 3. the realm as configured by the kerberos config file(s) from
The full service principal name is constructed as
<principalName>/<namespace>-<name>@<realm>. For ease of scaling up or down CephNFS clusters, this principal is used for all servers in the CephNFS cluster.
Users must add this service principal to their Kerberos server configuration.
For a CephNFS named "fileshare" in the "business-unit" Kubernetes namespace that has a
principalName of "sales-apac" and where the Kerberos realm is "EXAMPLE.NET", the full principal name will be
spec.security.kerberos.principalName corresponds directly to NFS-Ganesha's NFS_KRB5:PrincipalName config. See the NFS-Ganesha wiki for more details.