search

ai-cfia / howard

The Howard project, named after "The Godfather of Clouds" Luke Howard, orchestrates the Kubernetes-based cloud infrastructure for the Canadian Food Inspection Agency's AI lab, managing applications like Nachet, Finesse, and Louis. It prioritizes robustness, security and efficiency
https://ai-cfia.github.io/howard/
MIT License
3 stars 0 forks source link

Update Kubernetes manifests with 'securityContext' and optimize configurations #295

Open SonOfLope opened 4 days ago

SonOfLope commented 4 days ago

We need to update all our Kubernetes manifests (mainly deployments for client apps) to include securityContext and optimize our configurations. This includes, but is not limited to, adding resource limits and other best practices. The goal is to ensure our deployments meet current security and performance standards.

TODO:

  1. Add securityContext to Each Manifest

    • Include security configurations such as runAsUser, runAsGroup, and fsGroup.
    • Include parameters like readOnlyRootFilesystem, allowPrivilegeEscalation, etc.
    • Example configurations:
    • Example configurations: 
      securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false

  2. Define Resource Limits for Each Container

    • Add resources requests and limits for CPU and memory based on application needs.
    • Example configurations: 
      resources:
requests:
 memory: "256Mi"
 cpu: "500m"
limits:
 memory: "512Mi"
 cpu: "1000m"

  3. Add Pod Disruption Budgets (PDB)

    • Define PDBs to ensure high availability during voluntary disruptions.
    • Example configurations: 
      apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nachet-backend-pdb
spec:
minAvailable: 1
selector:
matchLabels:
  app: nachet-backend

  4. Set Affinity and Anti-affinity Rules

    • Define rules to spread or group pods across nodes.
    • Example configurations: 
      affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
  - labelSelector:
      matchExpressions:
        - key: app
          operator: In
          values:
            - nachet-backend
    topologyKey: "kubernetes.io/hostname"
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
  - labelSelector:
      matchExpressions:
        - key: app
          operator: In
          values:
            - nachet-backend
    topologyKey: "kubernetes.io/hostname"

  5. Implement Role-Based Access Control (RBAC)

    • Define roles and role bindings to enforce the principle of least privilege.
    • Example configurations: 
      
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: nachet
name: pod-reader
rules:
    • apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"]
    • Create the RoleBinding to bind the Role to the Azure AD group (we have to evaluate if this is possible)
    • Example configuration : 
      
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods-binding
namespace: nachet
subjects:
    • kind: Group name: azure-ad-group apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io

  6. Test updated manifests

  7. Document Changes

    • Update internal documentation with new practices and configurations.

Tasks are to be done per deployments :

ThomasCardin commented 4 days ago

Maybe we can also add: