search

AkihiroSuda / instance-per-pod

Create a dedicated IaaS instance per Pod to mitigate container breakout (including CPU vulnerabilities depending on the instance type)
https://medium.com/nttlabs/instance-per-pod-bcbfb3ae2985
Apache License 2.0
22 stars 2 forks source link

Disallow reusing idle Node for Pods with different classes #9

Open AkihiroSuda opened 4 years ago

AkihiroSuda commented 4 years ago

Currently, a Node that became idle after the pod removal can be reused for pods with arbitrary ipp-class label.

This should be disallowed because the old Pod data may leak into the new Pod via the disk and the memory.

This is probably implementable using some DaemonSet helper. (related: https://github.com/kubernetes/autoscaler/blob/3a030ddaf8c725ed815e47df74ea3b1f8ee48f7d/cluster-autoscaler/utils/pod/pod.go, autoscaler >= v1.17)

Or maybe ipp-class taint should be added to the node dynamically. (Does GKE allow it?)

AkihiroSuda commented 4 years ago

memo: critical daemonset pods are only supported in kube-system ns, but this was relaxed in k 1.17: https://github.com/kubernetes/kubernetes/pull/76310