I'm trying to create Persistent Volume on my k8s cluster with DigitalOcean Block storage, Using CSI driver.
It works fine, but I also wants to know that this is secure even for production.
I'm still looking for docs about PV security but can't find what i need.
I need your opinion. Thanks.
I think it might be helpful to consider following overall security aspects to apply them on your Kubernetes cluster as described in Kubernetes Documentation. I guess it can be a starting point for you to analyze potential security breaches in you Kubernetes Cluster. However, you can find some information about securing Persistent Volume storage below.
Persistent Volume (PV) storage consists with essential strategies which you can apply using SecurityContext section in a pod definition, like Group IDs, the user ID, and SELinux values.
Group IDs are global to the pod and applied to all containers defined in the pod. User IDs can also be global, or specific to each container.
Actually, there are four sections aiming to control access to volumes:
supplementalGroups - Supplemental groups are regular Linux groups. When a process runs in Linux, it has a UID, a GID, and one or more supplemental groups typically used for controlling access to shared storage, such as NFS and GlusterFS:
apiVersion: v1
kind: Pod
...
spec:
containers:
- name: ...
volumeMounts:
- name: nfs
mountPath: /usr/share/...
securityContext:
supplementalGroups: [5555]
volumes:
- name: nfs
nfs:
server: <nfs_server_ip_or_host>
path: /opt/nfs
fsGroup - Defines a pod’s "file system group" ID, which is added to the container’s supplemental groups. The supplementalGroups ID is applied to shared storage, whereas the fsGroup ID is used for block storage.
kind: Pod
...
spec:
containers:
- name: ...
securityContext:
fsGroup: 5555
runAsUser - User IDs can be defined globally to all containers, or specific to individual containers (or both):
spec:
containers:
- name: ...
securityContext:
runAsUser: 1000100001
seLinuxOptions - Possibility to assign SELinux labels to a container with several values for access control security policies to identify level label:
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
