security constraint
constraint the security/process with limited previledge
limited power
UID ==0
UID >= 1000
SElinux
container Security
SEC Constraint
- Run the process with limited power.
login to your system with normal user say sam
$ cat /etc/shadow
access denied
try with root,
# cat /etc/shadow
Create a deploymnet
kc createdeploy myd --image--vimal13/apache-webserver-phop
> kc get pods
> kc get pod
> kc exec -it myd-xxxx -- sh
# id
# ps -aux
you are runnig as a root user
# sleep 20 &
# ps -aux
you see sleep is running as a root.
> kc describe pods mypod....
kc get pods myd-xx -o yaml > p.txt
> noteapd p.txt
go see review it, you will see security context and there is nothing
securityContext: {}
how can you constrain with limited power?
more security-context
spec:
securityContext:
runAsUser: 1000
runAsUser: 3000
fsGroup: 2000
containers:
- name: sec-ctx-demo
image: busybox
commaand: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
...
> kc apply -f security-context.yaml
> kc get pods
> kc exec -it security-context-demo -- sh
$ id
you see id of 1000 and gid=3000
$ ps
# vi t.py
import time
time.sleep(300)
# python3 t.py
it started
open a new terminal
# ps -aux | grep t.py
Cap -> capibility
when process start, what is its capability?
- change network setting?
- change network stack?
- change time?
whats the capability of the process.
You can write your process on some language, and run with proper capability.
$ date
$ date 1212121212
you get error, not permitted
you don't have capability to change the time as normal user
$ ifconfig
$ ifconfig eth0 1.2.3.4
operation not permitted
# cat security-context_cap.yaml
spec:
containers:
- name: sec-ctx-4
imageL gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
add ["Net_Admin..
> kc apply -f security-context_cap.yaml
> kc exec -it security-context-demo-4 -- sh
# ps -auz
[12:24]
# ifconfig
# ip a s
# ip addr add 1.2.3.4/24 dev eth0
# ip a s
This is a concept of constraint.
Limits and quotas
> kc delete all --all
user (image) --> master
node1 - 4GB/4CPU
node2 - 16GB/6CPU
node3 - 16GB/16cpu
when you launch a new container, you have min requirement 1 GB RAM/2 cpu
kube scheduler checks on node and find which node has RAM, CPU available based on requirement.
if ram is availablem, it will launch on that available node, if that much RAM/CPU not available container will be on pending state.
Limit request
you defined minimum requirement, but not the maximum requirement.
[heap memory]
it is always a good practice to set a max limit.
when pod launch, there are lots of process running and it may use more resources, so its a good idea to limit the max value.
> kc create deploy
> kc get pods myd-... -o yaml > z.txt
> notepad z.txt
review all the output
go down, look for limit
missed about 5 minutes here,
> kc get limitrange
> kc describe limitrange
>
notepad limitrange_pod.yaml
limit range is per name space
> kc get pods
Quota
Namespace
create a user with RBAC
- constraint this user with particular namespace.
- Create ns
- create ns
- set rbac to this user, power to work on this particular ns
There is no constarint and they have full control for
pvc, pc, rc, svc ....
create n number of pods
what we do?
we can tell our ns, max pv, pvc or anything set limit
say pod=3, pvc=2 - limit the resource
This information can be done with quotas.
> kc get quota
> kc create namespace lw1
> lc get quota --namespace lw1
no resource found...
quota
spec:
hard:
requests.cpu: "1"
requests.memory: 1Gi
limits.cpu: "2"
limits.mem......
> kc apply -f quotas.yaml --namespace lw1
you can create quota from command line too
> kc create --help
look for example
> kc create quota myq --hard=cpu=1,memory=1G, pods=2,services=3,replicatoncontroller=2,resourcequotas=1,secrets=5,persistentvolumeclaims=10
> kc get pvc
> kc get quota
> kc get pods
metric Server
-------------
its very important to monitor your servers.
its hard to see what is going on for admin.
on k8s, if pod fails, it will re launch.
how many ram/CPU using/free , whats the free resources available, this is also called metrics.
used to be a tool called heapster - but now, its a metrics server (download from github)
install, and run.
this pod runs as an agent. They install cagent. (runs as daemon sets)
> minikube addon enable metrics-server
> kc top pod
it can monitor node or pod
> kc top node
shows you use %
This tool does not give you detail but you can integrate, cloud metric agent.
or you can use
splunx
new ..
prometheus/grafana
Subscribe to:
Post Comments (Atom)
Git branch show detached HEAD
Git branch show detached HEAD 1. List your branch $ git branch * (HEAD detached at f219e03) 00 2. Run re-set hard $ git reset --hard 3. ...
-
snmpconfig command allow you to managge snmpv1/v3 agent configuration on SAN switch. Event trap level is mapped with event severity level....
-
Firmware upgrade on HPE SuperDom Flex 280 - prerequisites tasks a. Set up repo b. Upload firmware to your webserver 1. For foundation so...
-
Disabling the Telnet protocol on Brocade SAN switches By default, telnet is enabled on Brocade SAN switches. As part of security hardening o...
No comments:
Post a Comment