๐Ÿ“ ๐‹๐š๐ฒ๐ž๐ซ๐ฌ ๐จ๐Ÿ ๐ข๐ฌ๐จ๐ฅ๐š๐ญ๐ข๐จ๐ง ๐ข๐ง ๐Š๐ฎ๐›๐ž๐ซ๐ง๐ž๐ญ๐ž๐ฌ

Posted by

Kubernetes has several nested layers, each of which provides some level of isolation and security. Building on the container, Kubernetes layers provide progressively stronger isolation. Here are the layers of a Kubernetes environment:

๐ŸŒŸ๐‚๐จ๐ง๐ญ๐š๐ข๐ง๐ž๐ซ (๐ง๐จ๐ญ ๐ฌ๐ฉ๐ž๐œ๐ข๐Ÿ๐ข๐œ ๐ญ๐จ ๐Š๐ฎ๐›๐ž๐ซ๐ง๐ž๐ญ๐ž๐ฌ): 
๐Ÿ‘‰A container provides basic management of resources, but does not isolate identity or the network. It provides some security isolation, but only provides a single layer, compared to our desired double layer.

๐ŸŒŸ๐๐จ๐:
๐Ÿ‘‰A pod isolates a few more resources than a container, including the network. It does micro-segmentation using Kubernetes Network Policy, which dictates which pods can speak to one another. But it still suffers from noisy neighbors on the same host.

๐ŸŒŸ๐๐จ๐๐ž:
๐Ÿ‘‰A node includes a collection of pods, and has a superset of the privileges of those pods. A node leverages a hypervisor or hardware for isolation, including for its resources.
You can use firewall rules to restrict network traffic to the node.

๐ŸŒŸ๐‚๐ฅ๐ฎ๐ฌ๐ญ๐ž๐ซ:
๐Ÿ‘‰A cluster is a collection of nodes and a control plane. This is a management layer for your containers. Clusters offer stronger network isolation with per-cluster DNS.

๐ŸŒŸ๐๐ซ๐จ๐ฃ๐ž๐œ๐ญ:
๐Ÿ‘‰A GCP project is a collection of resources, including Kubernetes Engine clusters. A project provides all of the above, plus some additional controls that are GCP-specific, like project-level IAM for Kubernetes Engine and org policies. Resource names, and other resource metadata, are visible up to this layer.

Thereโ€™s also the ๐Š๐ฎ๐›๐ž๐ซ๐ง๐ž๐ญ๐ž๐ฌ ๐๐š๐ฆ๐ž๐ฌ๐ฉ๐š๐œ๐ž, the fundamental unit for authorization in Kubernetes. A namespace can contain multiple pods. Namespaces provide some control in terms of authorization, via namespace-level RBAC, but donโ€™t try to control resource quota, network, or policies.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x