๐Ÿ“ ๐‹๐š๐ฒ๐ž๐ซ๐ฌ ๐จ๐Ÿ ๐ข๐ฌ๐จ๐ฅ๐š๐ญ๐ข๐จ๐ง ๐ข๐ง ๐Š๐ฎ๐›๐ž๐ซ๐ง๐ž๐ญ๐ž๐ฌ

Kubernetes has several nested layers, each of which provides some level of isolation and security. Building on the container, Kubernetes layers provide progressively stronger isolation. Here are the layers of a Kubernetes environment:

๐ŸŒŸ๐‚๐จ๐ง๐ญ๐š๐ข๐ง๐ž๐ซ (๐ง๐จ๐ญ ๐ฌ๐ฉ๐ž๐œ๐ข๐Ÿ๐ข๐œ ๐ญ๐จ ๐Š๐ฎ๐›๐ž๐ซ๐ง๐ž๐ญ๐ž๐ฌ): 
๐Ÿ‘‰A container provides basic management of resources, but does not isolate identity or the network. It provides some security isolation, but only provides a single layer, compared to our desired double layer.

๐ŸŒŸ๐๐จ๐:
๐Ÿ‘‰A pod isolates a few more resources than a container, including the network. It does micro-segmentation using Kubernetes Network Policy, which dictates which pods can speak to one another. But it still suffers from noisy neighbors on the same host.

๐ŸŒŸ๐๐จ๐๐ž:
๐Ÿ‘‰A node includes a collection of pods, and has a superset of the privileges of those pods. A node leverages a hypervisor or hardware for isolation, including for its resources.
You can use firewall rules to restrict network traffic to the node.

๐ŸŒŸ๐‚๐ฅ๐ฎ๐ฌ๐ญ๐ž๐ซ:
๐Ÿ‘‰A cluster is a collection of nodes and a control plane. This is a management layer for your containers. Clusters offer stronger network isolation with per-cluster DNS.

๐ŸŒŸ๐๐ซ๐จ๐ฃ๐ž๐œ๐ญ:
๐Ÿ‘‰A GCP project is a collection of resources, including Kubernetes Engine clusters. A project provides all of the above, plus some additional controls that are GCP-specific, like project-level IAM for Kubernetes Engine and org policies. Resource names, and other resource metadata, are visible up to this layer.

Thereโ€™s also the ๐Š๐ฎ๐›๐ž๐ซ๐ง๐ž๐ญ๐ž๐ฌ ๐๐š๐ฆ๐ž๐ฌ๐ฉ๐š๐œ๐ž, the fundamental unit for authorization in Kubernetes. A namespace can contain multiple pods. Namespaces provide some control in terms of authorization, via namespace-level RBAC, but donโ€™t try to control resource quota, network, or policies.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x