we have an installed on-premise OpenShift 4.5-Cluster with different projects (one per department) and for security reasons, they are totally isolated from each other. Every project has its own pair of ingress and egress-router, so that we wera able to create ipbased rules on our security infrastructure.
A lot of services (legacy-stuff) needs csv-files for processing, so we need a way to get files to and from the services.
Starting with nfs and separated shares for each project which could then be mounted as persistent volumes sounds great, as it fulfills the requirement for read-write-many (all replicas use the same storage, so they can fetch a csv file and start processing).
As i already said, each project has to be isolated, but if i use pvs with nfs, i cant prevent that a project-admin from project A accesses the nfs-share (pv -> pvc) which was intented for project B. I am not able restrict the access via ip because openshift accesses the nfs-server using ther node-ips and they are the same for every project.
We also tried to mount a nfs- or sshfs-share from a container so that the traffic goes through egress (own ip for every project), but then we have to run it on privileged mode (only root can mount), which is restricted by our security guidelines.
We already thought about using oc rsh, but then we have to create a complex distribute mechanism via cron or something, which sounds not so great.
Am i missing something? Any ideas?