Kubernetes Pod Spec: Better Defaults & Security

Рет қаралды 2,864

Bret Fisher Docker and DevOps

Күн бұрын

Пікірлер: 15

@BretFisher 2 жыл бұрын

What else do you need in your default pod spec?

@pbnjdev 2 жыл бұрын

Hello Bret, your videos and educational materials are underrated. As an infra/security engineer who's been working deeply with Kubernetes & containers for the past 6 years, I continue to learn new things from your channel. Thank you for all the work you do to share knowledge with the community.

@BretFisher 2 жыл бұрын

Wow, thanks!

@mitchharpur 2 жыл бұрын

Great session. Thank you for the effort to explain the details

@archemedes3451 2 жыл бұрын

YES! It's that you share not just the "what" but the "why". 👍

@BretFisher 2 жыл бұрын

My pleasure!

@RAHUL841991 Жыл бұрын

Thanks , really helpful

@maksimbakalo1183 2 жыл бұрын

Thanks, Bret, awesome video, watched it twice and will use it as a reference. Please do more k8s security videos.

@BretFisher 2 жыл бұрын

Great, I wanted it to be a quick reference for all the pod sec things :)

@dineshkumarprajapati5355 2 жыл бұрын

Hello Bret, thanks for detailed information about pod defaults. I have a question, can we set readinessProbe in cronjob?

@BretFisher 2 жыл бұрын

Yes you can!

@mozhago8280 2 жыл бұрын

Hi Bret, Great session as usual. I see that u did mention Apparmor and Selinux to restrict the pod access to OS resources. Do u think seccomp profile eleminates the need for such things. Thanks

@BretFisher 2 жыл бұрын

If you have the non-root stuff, and seccomp default profile enabled, then there is overlap between those and what AppArmor and SELinux does, but it's not 1-for-1, and I'm not smart enough to do a line-by-line comparison. It's really up to if you want to use a custom profile for your app, and then just pick a tool to do it in. AppArmor (apt/ubuntu) and SELinux (Red Hat) tend to be easier to use than seccomp or manually removing kernel capabilities, IMO. For some apps like NGINX, Apache, MySQL, you might find pre-created profiles you can manually apply to those pods for a much tighter security profile. At that point it doesn't matter which method you use, as long as it works on that host.

@dineshkumarprajapati5355 2 жыл бұрын

Hello Bret, I am running 5 different crons and each have different schedule time. Like 1st run every 4 minute, 2nd run every 10 minutes, 3rf run every 15 minutes, 4th run every 20 minutes and last 5th one every 45 minutes. When I start these crons, these run flawless but I found one issue is that these all crons restart after every hour. Means last cron which runs every 45 minutes got terminated in second iteration after 15 minutes (45+15) I'm using AWS EKS cluster. Can you please let me know what's causing this unusual behaviour of the crons. Thanks in advance

@BretFisher 2 жыл бұрын

I've never seen that issue before, and it doesn't sound like a normal Kubernetes behavior. I recommend reaching out to AWS support, as it sounds like an issue with your EKS.