use `node-restriction.kubernetes.io/` labels

AkihiroSuda / instance-per-pod

Create a dedicated IaaS instance per Pod to mitigate container breakout (including CPU vulnerabilities depending on the instance type)

https://medium.com/nttlabs/instance-per-pod-bcbfb3ae2985

Apache License 2.0

22 stars 2 forks source link

use `node-restriction.kubernetes.io/` labels #1

Closed AkihiroSuda closed 4 years ago

AkihiroSuda commented 5 years ago

https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-isolation-restriction

AkihiroSuda commented 5 years ago

Seems not supported by GKE as of writing.

Node pool with node-restriction.kubernetes.io/-prefixed labels can't be added successfully to the cluster.

AkihiroSuda commented 4 years ago

Maybe we don't need this, we can just validate requests from system:node in our own webhook.

AkihiroSuda commented 4 years ago

This is not needed for ipp=true node label (v0.1.1).

Even if a compromised node modifies the label, the node can't get unexpected pods to be scheduled, because the node is still tainted with ipp=true:NoSchedule, and the node can't modify the taint since Kubernetes v1.11