Does OpenShift support true multi-tenancy by segregating containers on host-level? Does OpenShift support true multi-tenancy by segregating containers on host-level? kubernetes kubernetes

Does OpenShift support true multi-tenancy by segregating containers on host-level?


security docker openshift containers kubernetes

The host level multi-tenancy is not the same as true multi-tenancy. Kubernetes and docker protect the host. This isn’t an OpenShift thing. For example https://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html/container_security_guide/security-hosts talks about cgroups and namespaces as providing protection. cgroups and namespaces is how docker works in Linux.

OpenShift does provide RBAC for developers. If you use the OpenShift “Source to Image” features they provide additional protections of the cluster as a whole. But nothing OpenShift provides protection at the pod or service level. You need custom SDNs like Calico (https://docs.projectcalico.org/about/about-calico) and Flannel (https://github.com/coreos/flannel) if you want your pods to be secure.

Why does this matter?Having host level security is equivalent to focusing on locks on your doors when your having a party at your house. You wouldn’t leave your wallet or social security card out on the kitchen table when you have a party because they are a bunch of people running around. If you run multi tenants in the same cluster — your having a party. A bunch of tenants a running compute on the same cluster.

But what about tags and taints?Tags and taint is like saying we’re going to have a party, but everyone agrees to stay at their own house. Every tenant gets their own hosts. From a security perspective, at that point what are you gaining? You could just as easily run on straight IaaS (for example AWS) and have the same posture. Only difference is you haven’t paid RedHat a boat load of money. Also OpenShift doesn’t ensure tenants use specific tags or taints...

security docker openshift containers kubernetes

Yes, you can keep containers separated from each other by running them on different hosts.

The way this is done is by configuring scheduler policies. The scheduler is not a "time scheduler", but a resource scheduler that will determine where to run pods.

Running pods (set of 1 or more containers) on different nodes can specifically be configured by using anti-affinity rules.

See https://docs.openshift.com/enterprise/3.0/admin_guide/scheduler.html in general, and https://docs.openshift.com/enterprise/3.0/admin_guide/scheduler.html#affinity specifically to get more details on how to setup this configuration.

The documentation over at https://github.com/kubernetes/kubernetes/blob/master/docs/design/podaffinity.md also provides insight into this.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last