Presentation is loading. Please wait.

Presentation is loading. Please wait.

Setting policies in kubernetes

Published byShinta Darmali Modified over 6 years ago

Similar presentations

Presentation on theme: "Setting policies in kubernetes"— Presentation transcript:

1 Setting policies in kubernetes

2 Can we use the same environment?
2 goals Sandboxed computing environment to scientists Access to it’s underlying infrastructure to network engineers and sysadmins Can we use the same environment? Don’t care where exactly code runs Care about computing resources they get/can use Want to collaborate or protect their data Need to execute code on particular hardware No high resources demand Have highest access level to the data and infrastructure, need to define privileges

3 Resources management Scientists don’t care where code runs
Network Engineers need to Execute code on particular hardware

4 Infrastructure changes
Hardware appears, disappears, breaks, moves around Automatically reschedule user jobs Respecting the policies Not annoying scientists with those changes Reconfigure monitoring

5 Containers: Contain only the code to run
Don't depend on the environment – docker provides unified one Can request needed resources from the host (if allowed) Stateless – easy to reschedule Store state in persistent storage, which isn’t tied to a host

6 Namespaces Isolate user space Create environment to collaborate
Define policies

7 Node labels We define the labeling scheme
Users request/limit needed resources (CPU, MEM, GPU, …) by using labels

8 Pod security policies Define level of isolation from the host
Can bind to host network? Host capabilities? Privileges escalation? What can mount? controls the level of isolation from host Can we bind to host network? What can we do on the host? Control OS settings? Isolate scientists but provide access to network engineers and tooling PODs can only do what the user running it can do - no privileges escalation (unless allowed)

9 Role-Based Access Control (RBAC)
root admin Can do anything (assign admins, manage system resources, deploy monitoring and tuning tools, set/unset restrictions on nodes based on namespace) Have access to full kubernetes API - flexibility, rich capabilities admin Can create and delete namespaces, add/delete users and admins to namespaces under control Do it with web portal - easy, no entry barrier. user Can run computations in namespaces created and controlled by an admin Might have access to several namespaces guest Can’t run or view anything Can be promoted to user or admin

Download ppt "Setting policies in kubernetes"

Similar presentations

Cloud Service Models and Performance Ang Li 09/13/2010.

Cloud Service Models and Performance Ang Li 09/13/2010.
Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.

Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.
System Center 2012 R2 Overview

System Center 2012 R2 Overview
Google App Engine Cloud B. Ramamurthy 7/11/2014CSE651, B. Ramamurthy1.

Google App Engine Cloud B. Ramamurthy 7/11/2014CSE651, B. Ramamurthy1.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Ken Birman. Massive data centers We’ve discussed the emergence of massive data centers associated with web applications and cloud computing Generally.

Ken Birman. Massive data centers We’ve discussed the emergence of massive data centers associated with web applications and cloud computing Generally.
Where Do the 7 layers “fit”? 1 2 3 4 5 6 7 Or, where is the dividing line between hdw & s/w? ? ?

Where Do the 7 layers “fit”? Or, where is the dividing line between hdw & s/w? ? ?
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.

Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.
G22.3250-001 Robert Grimm New York University Protection and the Control of Information Sharing in Multics.

G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.
Operating Systems: Principles and Practice

Operating Systems: Principles and Practice
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
Platform as a Service (PaaS)

Platform as a Service (PaaS)
VAP What is a Virtual Application ? A virtual application is an application that has been optimized to run on virtual infrastructure. The application software.

VAP What is a Virtual Application ? A virtual application is an application that has been optimized to run on virtual infrastructure. The application software.
Cloud Computing Kwangyun Cho v=8AXk25TUSRQ.

Cloud Computing Kwangyun Cho v=8AXk25TUSRQ.
Presented by Amlan B Dey.  Access control is the traditional center of gravity of computer security.  It is where security engineering meets computer.

Presented by Amlan B Dey.  Access control is the traditional center of gravity of computer security.  It is where security engineering meets computer.
Meet with the AppEngine Márk Gergely eu.edge. What is AppEngine? It’s a tool, that lets you run your web applications on Google's infrastructure. –Google's.

Meet with the AppEngine Márk Gergely eu.edge. What is AppEngine? It’s a tool, that lets you run your web applications on Google's infrastructure. –Google's.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
Virtual Workspaces Kate Keahey Argonne National Laboratory.

Virtual Workspaces Kate Keahey Argonne National Laboratory.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,

Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,

Similar presentations

Ads by Google