Monday, March 27, 2023

Kubernetes container basics & security

Originally developed by Google as Borg & Open-sourced.

Pros: Scalable, HA, self-healing, auto-rollback, horizontal scaling. Portable across on-prem, hybrid & multiple public clouds. Uniform way to package, deploy & manage apps. 
Cons: Complex to setup & operate. Higher costs. k8s avoided by startups.
Popular balance: Control plane mgmt to a managed k8s service such as EKS, AKS, GKE. Setup, configure, scale & get support. Used by mid-sized orgs.

Creates a cluster of nodes.

  • Cluster has a control plane that manages the state of a cluster. In Production, runs on multiple nodes across datacenters.
    • Controller manager
      • Run controllers managing state of cluser. Eg: Replication controller for pod replicas. Deployment controller manages updates & rollbacks.
    • Scheduler: schedules pods onto to worker nodes, making decisions on which worker nodes to use depending on resource availability & requirements.
    • etcd: Distributed KV store with cluster's persistent state.
    • API server
      • Interface between control plane & worker nodes. Exposes a REST API between the Admin UI & CLI.
  • Cluster has worker nodes, a physical machine or VM. 
    • Each node has pods, the smallest deployable object in K8s. Created & managed by the control plane.
      • Each pod has containers. Shares storage & networking.
    • kubelet: Daemon runs of each worker node. Communicates with the control plane. Maintains desired state of pods.
    • kube-proxy: Network proxy that runs on each worker node. Route traffic to pods. Load balancing & distributes traffic evenly across pods.
    • container runtime: Runs containers on worker nodes. Pulls images from registry. Starts & stops containers. Manages container resources.

Security:
Detection: Detect breach after it has happened.
Prevention: Prevent breach from happening in the first place.

Shift Left: Can container security issues be detected before the breach?

Check packages on container.
Secure host.
Agent with privileged container.
Check container settings. Is Privileged? Control config for auto-scaling. Is it downgraded to reduce service & upgrade too high for costs?
Fetch events, write to a queuing service like Kafka. Write to an AP system (Cassandra or DynamoDB) and/or Elastic Search. If required, such as for config info, also use a CA RDBMS like Postgres.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Free AI Chat tools

https://grok.com https://x.com/i/grok https://chatgpt.com https://copilot.microsoft.com https://chat.deepseek.com https://www.meta.ai https:...