Ashutosh Mahajan's blog
Day 5: Kubernetes Storage Kubernetes Security

Day 5: Kubernetes Storage Kubernetes Security

Ashutosh Mahajan's photo
Ashutosh Mahajan
·

5 min read

Table of contents

Introduction

Kubernetes is a powerful container orchestration platform that provides a wide range of features to manage containers, including storage management. In this blog, we will explore the Kubernetes storage management capabilities, including Persistent Volumes (PV), Persistent Volume Claims (PVC), Storage Classes, and StatefulSets and we will also discuss each of these security mechanisms in detail with practical examples

Kubernetes Storage

Kubernetes storage provides a way to persist data across container restarts and container migrations. Kubernetes provides several storage primitives to manage persistent storage for stateful applications. These primitives include Persistent Volumes (PV), Persistent Volume Claims (PVC), and Storage Classes.

Persistent Volumes (PV)

A Persistent Volume (PV) is a cluster-level resource that represents a piece of networked storage. It is created by an administrator and is available for use by any pod in the cluster. PVs are not associated with any specific pod, which means that they can be used by any pod that requests them.

We can create a PV by defining a YAML file that specifies the properties of the PV.

apiVersion: v1
kind: PersistentVolume
metadata:
  name: my-pv
spec:
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: standard
  hostPath:
    path: /mnt/data

This YAML file creates a PV named "my-pv" with a capacity of 1Gi, ReadWriteOnce access mode, and the standard storage class. The PV is backed by a hostPath volume, which means that the data will be stored on the host machine's file system.

Persistent Volume Claims (PVC)

A Persistent Volume Claim (PVC) is a request for a specific amount of storage from a PV. PVCs are created by users and are used to request a certain amount of storage with specific properties, such as access mode, storage class, and storage size.

We can create a PVC by defining a YAML file that specifies the properties of the PVC.

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: standard

Storage Classes

A Storage Class is a way to describe the properties of the storage that will be used by PVCs. Storage Classes allow administrators to define different classes of storage with different properties, such as performance, access mode, and storage media.

StatefulSet

StatefulSet is a Kubernetes primitive that is used to manage stateful applications. It provides unique network identifiers and persistent storage to each pod in the set, which ensures that the pods are started and stopped in the correct order. Stateful sets are commonly used to run databases, message brokers, and other stateful applications.

Kubernetes Security

With the growing popularity of Kubernetes, security has become a critical concern for organizations using Kubernetes. Kubernetes security is a multi-layered approach that includes RBAC, Pod Security policies, network policies, and TLS.

Role-Based Access Control (RBAC)

RBAC is a Kubernetes mechanism that provides authorization control to access Kubernetes resources. RBAC allows defining roles and binding them to users or groups. A role contains a set of rules that define what actions can be performed on specific resources. Kubernetes provides two types of roles, namely Role and ClusterRole. Role is used to grant permissions for a specific namespace, while ClusterRole provides permissions across the entire cluster.

Let's say we have a Kubernetes cluster with two namespaces: "dev" and "prod." We want to grant permissions to a user named "Jane" to create, read, and update deployments in the "dev" namespace. We can create a Role named "dev-deployment-admin" in the "dev" namespace with the following YAML configuration:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: dev-deployment-admin
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["create", "get", "update"]
- apiGroups: ["apps"]
  resourceNames: ["nginx-deployment"]
  resources: ["deployments"]
  verbs: ["get"]

This configuration binds the "dev-deployment-admin" role to the "jane" user in the "dev" namespace.

Pod Security Policies

Pod Security policies are a Kubernetes mechanism that enables enforcing security policies on pods. Pod Security policies allow for defining a set of conditions that pods must satisfy to run. For example, a Pod Security policy can enforce that containers run as non-root users or restrict the use of privileged containers.

Let's say we have a Pod Security policy named "restricted" that enforces that containers run as non-root users and do not run with privileged permissions. We can create this policy with the following YAML configuration:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
    - min: 1
      max: 65535
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'

This configuration enforces that containers must not run with privileged permissions, run as non-root users, and use only the specified volumes.

Network Policies

Network Policies provide fine-grained control over the network traffic that is allowed to and from a Kubernetes pod. Network Policies allow you to define rules to specify which traffic is allowed to reach your pods and which traffic is blocked. By default, Kubernetes allows all traffic to and from pods within a cluster, but this can be changed with Network Policies. We can create a Network Policy with the following YAML configuration:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-backend
  namespace: app
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 80

This configuration allows traffic from the "frontend" pod to the "backend" pod on port 80 and blocks all other traffic.

TLS (Transport Layer Security)

TLS is a protocol that provides secure communication over a network. Kubernetes supports TLS to secure communication between Kubernetes components and between clients and the Kubernetes API server. Kubernetes supports three types of TLS certificates: serving certificates, client certificates, and intermediate certificates.

Let's say we want to secure communication between the Kubernetes API server and the kubelet. We can create a serving certificate and key pair with the following command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=kube-apiserver-kubelet-client"

Conclusion

Kubernetes provides various storage solutions to manage persistent storage for containerized applications. PVs and PVCs provide a way to abstract the underlying physical storage and provide a persistent storage solution to the pod. StorageClasses allow administrators to create different types of storage based on the requirements of the application. StatefulSets provide a way to manage stateful applications with multiple replicas. It's important to understand these storage solutions and use them effectively to ensure that your applications have reliable and persistent storage. Kubernetes provides several security mechanisms, including RBAC, Pod Security policies, Network policies, and TLS, to secure containerized applications. It's important to implement these security mechanisms to ensure that your Kubernetes cluster is secure and your data is protected.

Did you find this article valuable?

Support Ashutosh Mahajan's blog by becoming a sponsor. Any amount is appreciated!

Kubernetes#KubeWeekChallenge TrainWithShubhamTLSSecurity