Wednesday, May 12, 2021

Kubernetes - constraint security

security constraint

constraint the security/process with limited previledge

limited power

UID ==0
UID >= 1000

SElinux

container Security

SEC Constraint

- Run the process with limited power.

login to your system with normal user say sam
$ cat /etc/shadow
access denied

try with root,
# cat /etc/shadow

Create a deploymnet
kc createdeploy myd --image--vimal13/apache-webserver-phop
> kc get pods
> kc get pod
> kc exec -it myd-xxxx -- sh

# id
# ps -aux

you are runnig as a root user

# sleep 20 &
# ps -aux
you see sleep is running as a root.

> kc describe pods mypod....

kc get pods myd-xx -o yaml > p.txt
> noteapd p.txt

go see review it, you will see security context and there is nothing

securityContext: {}

how can you constrain with limited power?


more security-context

spec:
  securityContext:
    runAsUser: 1000
    runAsUser: 3000
    fsGroup: 2000
  containers:
  - name: sec-ctx-demo
    image: busybox
    commaand: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
...

> kc apply -f security-context.yaml
> kc get pods
> kc exec -it security-context-demo -- sh
$ id
you see id of 1000 and gid=3000
$ ps




# vi t.py
import time
time.sleep(300)
# python3 t.py
it started

open a new terminal
# ps -aux | grep t.py



Cap -> capibility
when process start, what is its capability?
- change network setting?
- change network stack?
- change time?

whats the capability of the process.

You can write your process on some language, and run with proper capability.

$ date
$ date 1212121212

you get error, not permitted
you don't have capability to change the time as normal user

$ ifconfig
$ ifconfig eth0 1.2.3.4
operation not permitted


# cat security-context_cap.yaml

spec:
  containers:
  - name: sec-ctx-4
    imageL gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        add ["Net_Admin..


> kc apply -f security-context_cap.yaml
> kc exec -it security-context-demo-4 -- sh

# ps -auz


[12:24]

# ifconfig
# ip a s
# ip addr add 1.2.3.4/24 dev eth0
# ip a s

This is a concept of constraint.


Limits and quotas

> kc delete all --all


user (image)  --> master

node1 - 4GB/4CPU
node2 - 16GB/6CPU
node3 - 16GB/16cpu

when you launch a new container, you have min requirement 1 GB RAM/2 cpu
kube scheduler checks on node and find which node has RAM, CPU available based on requirement.
if ram is availablem, it will launch on that available node, if that much RAM/CPU not available container will be on pending state.

Limit request

you defined minimum requirement, but not the maximum requirement.

[heap memory]

it is always a good practice to set a max limit.
when pod launch, there are lots of process running and it may use more resources, so its a good idea to limit the max value.

> kc create deploy

> kc get pods myd-... -o yaml > z.txt
> notepad z.txt
review all the output

go down, look for limit


missed about 5 minutes here,

> kc get limitrange
> kc describe limitrange
>


notepad limitrange_pod.yaml


limit range is per name space

> kc get pods



Quota

Namespace

create a user with RBAC
- constraint this user with particular namespace.

- Create ns
- create ns
- set rbac to this user, power to work on this particular ns

There is no constarint and they have full control for
pvc, pc, rc, svc ....
create n number of pods

what we do?
we can tell our ns, max pv, pvc or anything set limit
say pod=3, pvc=2 - limit the resource

This information can be done with quotas.

> kc get quota

> kc create namespace lw1
> lc get quota --namespace lw1
no resource found...

quota

spec:
  hard:
    requests.cpu: "1"
    requests.memory: 1Gi
    limits.cpu: "2"
    limits.mem......

> kc apply -f quotas.yaml --namespace lw1

you can create quota from command line too

> kc create --help
look for example
> kc create quota myq --hard=cpu=1,memory=1G, pods=2,services=3,replicatoncontroller=2,resourcequotas=1,secrets=5,persistentvolumeclaims=10

> kc get pvc
> kc get quota
> kc get pods

metric Server
-------------

its very important to monitor your servers.
its hard to see what is going on for admin.
on k8s, if pod fails, it will re launch.

how many ram/CPU using/free , whats the free resources available, this is also called metrics.

used to be a tool called heapster - but now, its a metrics server (download from github)

install, and run.
this pod runs as an agent. They install cagent. (runs as daemon sets)

> minikube addon enable metrics-server

> kc top pod

it can monitor node or pod


> kc top node
shows you use %

This tool does not give you detail but you can integrate, cloud metric agent.
or you can use
splunx
new ..
prometheus/grafana









No comments:

Post a Comment

Git branch show detached HEAD

  Git branch show detached HEAD 1. List your branch $ git branch * (HEAD detached at f219e03)   00 2. Run re-set hard $ git reset --hard 3. ...