Kubernetes pod and namespace security model #4029
Merged
+93
−4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Also references #4126 |
Merged
|
Will look at monday when I return to work.
|
smarterclayton
added
the
kind/design
| * are less focused about application security | ||
|
|
||
| * Administrators: | ||
| * are less focused on application security. Focused on operation system security. |
|
minor typos, and we will need to come back to a discussion of how practical 4b and 4c are. But LGTM. |
This proposed update to docs/design/security.md includes proposals on how to ensure containers have consistent Linux security behavior across nodes, how containers authenticate and authorize to the master and other components, and how secret data could be distributed to pods to allow that authentication. References concepts from kubernetes#3910, kubernetes#2030, and kubernetes#2297 as well as upstream issues around the Docker vault and Docker secrets.
smarterclayton
force-pushed
the
security_proposal
branch
from
96cd956
to
358d1ab
Compare
|
Comments and questions updated. ----- Original Message -----
|
erictune
added a commit
that referenced
this pull request
Feb 13, 2015
Kubernetes pod and namespace security model
|
You might be interested in this recent security design for etcd. Would be interesting to get your feedback there: etcd-io/etcd#2384 |
xingzhou
pushed a commit
to xingzhou/kubernetes
that referenced
this pull request
Dec 15, 2016
Kubernetes pod and namespace security model
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This proposed update to docs/design/security.md includes proposals
on how to ensure containers have consistent Linux security behavior
across nodes, how containers authenticate and authorize to the master
and other components, and how secret data could be distributed to
pods to allow that authentication.
References concepts from #3910, #2030, and #2297 as well as upstream issues
around the Docker vault and Docker secrets.
Pulled together to frame the discussion from #3910 as a cross Kubernetes
concept as per @erictune