你的云计算凭证是否曾通过 CSI、CPI 等方式泄露过?你的控制面节点是否曾经被集群中的 Pod 攻击过?大多数Kubernetes引擎采用的安全解决方案是:
- 不在控制面节点安装 kubelet,并将所有 Kubernetes 核心组件作为进程而不是Pod运行
- 供应商对账户/身份的许可控制解决方案。
然而,这些方法带来了额外的缺点:
- 控制面问题的故障排除变得很困难
- 上游交付物在部署时被修改
- 控制面组件失去了 HA 能力。演讲者一直致力于将集群api提供商嵌套项目整合到他们的 Kubernetes 引擎中。参加本次会议可以了解到:- 在管理集群中部署和管理控制平面的新方案,这个方案如何保证你的集群安全 - 以原生方式部署控制平面后有什么额外的好处 - 可能有什么挑战以及如何解决。
参加本次会议可以了解到:
- 在管理集群中部署和管理控制平面的新方案,这个方案如何保证你的集群安全
- 以本地方式部署控制平面后有什么额外的好处?
- 可能有什么挑战以及如何解决
Have your cloud credentials ever leaked through CSI, CPI and etc.? Have your control plane nodes ever been attacked from in cluster Pods? Security solutions adopted by majority Kubernetes engines are:
• Not install kubelet in control plane nodes and run all Kubernetes core components as processes instead of Pods
• Permission control solutions for accounts/identities by providers.
However, those approaches introduce extra downsides:
• Troubleshooting control plane issue becomes difficult
• Upstream deliverables are modified for deployment
• Control plane components lose the HA ability The speakers have been working on integrating the cluster api provider nested project into their Kubernetes engine.
Join this session to learn about:
• The new solution to deploy and manage control planes in a management cluster, how does this solution secure your clusters
• What’s the extra benefits after deploying control plane in a native way
• What challenges there might be and how to resolve it