-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
28 changed files
with
386 additions
and
29 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| Review Guidelines | ||
| ================= | ||
|
|
||
| Before a workshop is deployed in a production environment for others to use it should be reviewed to ensure it follows best practices, will not consume excessive amounts of resources, and does not create any undue security risks. | ||
|
|
||
| The follow guidelines are intended to help reviewers ensure that the workshop is ready for deployment. | ||
|
|
||
| .. toctree:: | ||
| :maxdepth: 2 | ||
|
|
||
| review-guidelines/changes-to-the-security-policy | ||
| review-guidelines/disabling-kubernetes-access | ||
| review-guidelines/workshop-user-admin-access | ||
| review-guidelines/workshop-container-memory | ||
| review-guidelines/workshop-container-cpu | ||
| review-guidelines/workshop-container-storage | ||
| review-guidelines/namespace-resource-budget | ||
| review-guidelines/workshop-container-startup | ||
| review-guidelines/docker-resource-requirements | ||
| review-guidelines/docker-container-image-registry | ||
| review-guidelines/hosting-images-on-docker-hub |
32 changes: 32 additions & 0 deletions
32
project-docs/production-guides/review-guidelines/changes-to-the-security-policy.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| Changes to the security policy | ||
| ============================== | ||
|
|
||
| By default RBAC is set up for workshop session namespaces such that containers can only run as non root users due to the increased security risk of allowing workshop users to run anything as root. | ||
|
|
||
| In an ideal world this would be fine, but too many container images out there don't follow best practices of running as a non root user and instead will only work if run as root. This is especially the case for official images from Docker Hub. | ||
|
|
||
| As an example, the `nginx` image on Docker Hub, which is often used in example deployments for Kubernetes, will only run correctly if run as root. | ||
|
|
||
| Workshops can override the default `restricted` security policy applied through RBAC by setting the `session.namespaces.security.policy` property. Currently this can be [set](running-user-containers-as-root) to the alternative of `baseline` to allow containers to be run as root. | ||
|
|
||
| ```yaml | ||
| spec: | ||
| session: | ||
| namespaces: | ||
| security: | ||
| policy: baseline | ||
| ``` | ||
| Overall the recommended solution is not to use any container image that requires it be run as root. In the case of `nginx` one can use the `bitnami/nginx` image instead. The Bitnami catalog provides various other images as well which can run as a non root user where the official Docker Hub images will only run as root. | ||
|
|
||
| If absolutely necessary a workshop definition can specify its own pod security policies and bind those to a distinct service account used by a deployment to give more elevated privileges, including running as a privileged container, but this should be avoided due to the huge security risks with workshop users being able to create their own deployments using the service account and a malicious container image which could compromise the cluster. | ||
|
|
||
| **Recommendations** | ||
|
|
||
| * If possible workshops should never use container images that require they be run as root. | ||
| * Ensure that the security policy is not overridden to allow containers images to run as root if there is no need for it. | ||
| * Ensure that workshops don't give themselves elevated privileges outside of the `restricted` and `baseline` defaults, especially the ability to run privileged containers, due to the extreme security risks. | ||
|
|
||
| **Related Issues** | ||
|
|
||
| Note that when a Kubernetes virtual cluster is enabled for use with a workshop session, the security policy for the session namespace is automatically changed from `restricted` to `baseline`. This is necessary for the virtual cluster to run properly, but also means that any deployments made to the virtual cluster by a workshop user can run as the root user. |
21 changes: 21 additions & 0 deletions
21
project-docs/production-guides/review-guidelines/disabling-kubernetes-access.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| Disabling Kubernetes access | ||
| =========================== | ||
|
|
||
| By default, a workshop session always provides access to a namespace in the Kubernetes cluster for that session. This is so that as part of a workshop deployments can be made into the Kubernetes cluster. Usually a workshop user would only have access to the single namespace created for that session. | ||
|
|
||
| If the topic of a workshop is such that there is never a need for a user to be able to deploy anything to the Kubernetes cluster themselves, access to the Kubernetes REST API can be disabled for the workshop. | ||
|
|
||
| This is done by [setting](blocking-access-to-kubernetes) `session.namespaces.security.token.enabled` to `false` in the workshop definition, and results in the service account token not being mounted into the workshop container. | ||
|
|
||
| ```yaml | ||
| spec: | ||
| session: | ||
| namespaces: | ||
| security: | ||
| token: | ||
| enabled: false | ||
| ``` | ||
| **Recommendations** | ||
| * Ensure that access to the Kubernetes REST API is disabled if access is not required. |
24 changes: 24 additions & 0 deletions
24
...ect-docs/production-guides/review-guidelines/docker-container-image-registry.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| Docker container image registry | ||
| =============================== | ||
|
|
||
| A workshop can enable the deployment of a container image registry per workshop session. This can be used to store container images built as part of the workshop instructions using `docker build`, `pack`, `kpack`, `kaniko` etc. The container images in the per session container image registry can then be deployed into the Kubernetes cluster. | ||
|
|
||
| The container image registry uses a distinct deployment separate to the deployment of the workshop instance for the session. To stores images the per session container image registry is by default given a 5Gi persistent volume. The amount of memory set aside for the container image registry defaults to 768Mi. The amount of storage and memory can | ||
| be [overridden](enabling-session-image-registry) by setting properties under `session.applications.registry` in the workshop definition. | ||
|
|
||
| ```yaml | ||
| spec: | ||
| session: | ||
| applications: | ||
| registry: | ||
| enabled: true | ||
| memory: 1Gi | ||
| storage: 20Gi | ||
| ``` | ||
| **Recommendations** | ||
| * Ensure that adequate memory is allocated to the per session container image registry. | ||
| * Ensure that adequate storage space is allocated to the per session container image registry. | ||
| * Ensure that the workshop doesn't encourage an ongoing repetitive process of building container images and pushing them to the container image registry as this will incrementally keep using more storage as no pruning is done of old image layers. | ||
| * If possible, rather than have deployments in the cluster directly reference container images on Docker Hub, have a user pull images from Docker Hub and push them to the per workshop session image registry and deploy the container image from that registry. At the same time, ensure that use of a Docker Hub mirror for each workshop environment is configured for Educates to avoid issues with possible rate limiting by Docker Hub. Alternatively look at using a shared OCI image cache with specific workshop environments to mirror required images. |
46 changes: 46 additions & 0 deletions
46
project-docs/production-guides/review-guidelines/docker-resource-requirements.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| Docker resource requirements | ||
| ============================ | ||
|
|
||
| When docker support is enabled a dockerd instance (`dind` - docker in docker) is run as a side car container to the workshop container. When building and/or running docker images within the workshop, this is done inside of the context of this side car container and not in the main workshop container. This is the same if using tools such as `pack` which although it doesn't use the docker command, does connect to the dockerd instance running in the side car container to do the actual work. | ||
|
|
||
| To ensure that building and/or running container images doesn't impact on the memory availability for the workshop container, the dockerd side car is given its own separate memory allocation. By default the amount of memory is 768Mi and this memory amount is guaranteed. If running docker builds which require a lot of memory (Java and NodeJS builds), you may need to increase the memory given to the dockerd side car container. This can be [overridden](enabling-ability-to-use-docker) in the workshop definition using the `session.applications.docker.memory` setting. | ||
|
|
||
| ```yaml | ||
| spec: | ||
| session: | ||
| applications: | ||
| docker: | ||
| enabled: true | ||
| memory: 1Gi | ||
| ``` | ||
| Because of possible large transient filesystem space requirements when building container images, as well as the space required to store the built container image, or any container image pulled down into the local dockerd instance, a persistent volume is always allocated for the dockerd container. This avoids the problem that you might run out of space on the Kubernetes node were lots of workshop instances running at the same time, but depending on how large the container images are, or how much transient space is required to build a container image, you may need to increase the amount of storage. By default the amount of storage given to dockerd is 5Gi. This can be [overridden](enabling-ability-to-use-docker) in the workshop definition using the `session.applications.docker.storage` setting. | ||
|
|
||
| ``` | ||
| spec: | ||
| session: | ||
| applications: | ||
| docker: | ||
| enabled: true | ||
| storage: 20Gi | ||
| ``` | ||
| **Recommendations** | ||
| * Ensure that docker support is not enabled if not being used because of additional resource requirements but also the security risks implicit in allowing dockerd to be run. | ||
| * Ensure that adequate memory is allocated to the dockerd side car container. | ||
| * Ensure that adequate storage space is allocated to the dockerd side car container. | ||
| * Ensure that the number of container images pulled down using docker is limited to what is required. | ||
| * Ensure that you don't encourage running successive builds as each change will result in more container layers being stored. | ||
| * Ensure that users are asked to delete container images to free up storage space if they can, before proceeding with subsequent workshop steps, rather than just allocating more storage space. | ||
| * Ensure that users are asked to delete stopped containers to free up storage space if they can, before proceeding with subsequent workshop steps, rather than just allocating more storage space. Alternatively, use the `-rm` option to `docker run` to ensure that stopped containers are automatically deleted when they exit. | ||
| **Related Issues** | ||
| Note that memory and storage requirements for the dockerd side car container should be added to the memory and storage requirements of the main workshop container when determining resource requirements for each workshop instance. In the case of memory, since both containers are in the same pod, the combined memory requirement has to be available on a node before a workshop instance can be scheduled to the node. For storage, a separate persistent volume claim is used for the dockerd side car container, but because it is part of the same pod as the main workshop container, a node has to have available with enough persistent volume mount points to support the combined total number of persistent volumes used. | ||
| Note that you cannot use storage space allocations that may work on local Kubernetes clusters using Kind or Minikube as a guide for how much you should use as the amount of storage requested in the case of those Kubernetes clusters is ignored and instead you can always use up to as much space as the VM or host system in which the Kubernetes cluster is running has for file system space. | ||
| Note that enabling docker support is always a risk and the Kubernetes cluster can be readily compromised by a knowledgeable person intent on mischief because dockerd has to be run using a privileged container with the user then also being able to run containers using docker as privileged. If possible avoid using docker and use methods for building container images that don't rely on docker, such as kaniko and Java native systems for building container images. | ||
| If the only reason for using docker is to run some services for each workshop session, instead try and run them as Kubernetes services. Alternatively, use the mechanism of the docker support to run services using a docker-compose configuration snippet. Using this method will by default result in the docker socket not being exposed inside of the workshop container thus reducing the security risk. |
Oops, something went wrong.