This is talk delivered in Kubernetes Bangalore meetup of January which is just an update from the Kubecon that happened in Seattle in December 2018. Also includes some updates from recent Kubernetes release v1.13.
4. Features
● Fixed limited duration
● Every pod gets a different service account token
● Kubelet handles rotation of the token
● Force rotate by restarting the pod
● Not stored in secret, directly mounted inside the pod
● Need to re-read the token since it changes periodically
● Specify audiences so token is valid to talk to only those services
7. Features
● Run heterogeneous container runtimes in cluster, allows you to run VMs and
containers together.
● Scheduling based on RuntimeClass is work in progress.
KEP: Runtime Class
8. ● Field in PodSpec called runtimeClassName
● RuntimeClass
New API
10. Features
● Add restriction to kubelet
● Node isolation
● Prevent nodes from updating taints & their own labels specifically
node-restriction.kubernetes.io/*
● Can’t delete the node object itself
● Warn on whitelisted modifications
12. Features
● Graduated from experimental
● Define what resources you want to be encrypted
● Supports various encryption providers: aescbc, secretbox, aesgcm,
kms
● Solves the long standing problem of credentials not being safe with
Kubernetes.
18. References
● Transition ServiceAccount admission controller to improved service account token volumes #70679
● Kubernetes Contributor Summit 2018 - Security Through the Ages
● Deep Dive: Container Identity WG - Greg Castle & Michael Danese, Google
● Encrypting Secret Data at Rest
● NodeRestriction
● Dynamic Backend
● Audit in Kubernetes, the Future is Here - Stefan Schimanski & Maciej Szulik, Red Hat
19. Connect with us
● Twitter @k8sBLR
● Join Kubernetes slack slack.k8s.io and channel #in-dev & #in-users
● GSOC for Kubernetes announced!