在Kubernetes主节点上运行用户Pod是否存在问题? [英] Are there issues with running user pods on a Kubernetes master node?
问题描述
许多部署Kubernetes主节点的过程建议您使用--register-schedulable=false
防止将用户Pod调度到主节点(例如 Will(can )Kubernetes在主节点上运行Docker容器吗?)表明确实有可能在主节点上运行用户Pod,但是并没有解决允许这样做的任何问题. >
到目前为止,我能找到的唯一表明可能存在与此相关的问题的信息是,主节点上的pod似乎通信不安全(请参阅 https://github.com/kubernetes/kubernetes/issues/13598 ).我假设这将潜在地允许在主节点上运行的恶意Pod访问/劫持Kubernetes功能,这些功能通常是非主节点上的Pod无法访问的.如果仅在内部开发运行的Pod/容器,可能不会有什么大不了的-尽管我猜总是会有某些人入侵对Pod/容器的访问权限,从而获得对主节点的访问权限.
这听起来像与此场景相关的可行潜在风险(允许用户Pod在Kubernetes主节点上运行)吗?这样的设置还有其他潜在的问题吗?
肯定可以在主节点上运行pod.
您提到的安全风险是一个问题,但是,如果配置服务帐户,则对于所有已部署的Pod来说,对apiserver进行安全的远程访问与不安全的本地访问实际上并没有太大不同.
另一个问题是资源争用.如果在主节点上运行流氓Pod会破坏主组件,则它可能会破坏整个群集的稳定性.显然,这是生产部署所关心的问题,但是如果您希望最大程度地利用开发/试验环境中的少量节点,那么可以在主服务器上运行几个额外的Pod应该很好.
最后,您需要确保为主节点分配了足够大的Pod cidr.在某些部署中,主服务器仅获得/30,这不会允许您运行很多Pod.
Many of the run-throughs for deploying Kubernetes master nodes suggest you use --register-schedulable=false
to prevent user pods being scheduled to the master node (e.g. https://coreos.com/kubernetes/docs/latest/deploy-master.html). On a very small Kubernetes cluster it seems somewhat a wasteful of compute resources to effectively prevent an entire node from being used for pod scheduling unless absolutely essential.
The answer to this question (Will (can) Kubernetes run Docker containers on the master node(s)?) suggests that it is indeed possible to run user pods on a master node - but doesn't address whether there are any issues associated with allowing this.
The only information that I've been able to find to date that suggests there might be issues associated with allowing this is that it appears that pods on master nodes communicate insecurely (see http://kubernetes.io/docs/admin/master-node-communication/ and https://github.com/kubernetes/kubernetes/issues/13598). I assume that this would potentially allow a rogue pod running on a master node to access/hijack Kubernetes functionality not normally accessible to pods on non-master nodes. Probably not a big deal with if only running pods/containers developed internally - although I guess there's always the possibility of someone hacking access to a pod/container and thereby gaining access to the master node.
Does this sound like a viable potential risk associated with this scenario (allowing user pods to run on a Kubernetes master node)? Are there any other potential issues associated with such a setup?
Running pods on the master node is definitely possible.
The security risk you mention is one issue, but if you configure service accounts, it isn't actually much different for all deployed pods to have secure remote access to the apiserver vs. insecure local access.
Another issue is resource contention. If you run a rogue pod on your master node that disrupts the master components, it can destabilize your entire cluster. Clearly this is a concern for production deployments, but if you are looking to maximize utilization of a small number of nodes in a development / experimentation environment, then it should be fine to run a couple of extra pods on the master.
Finally, you need to make sure the master node has a sufficiently large pod cidr allocated to it. In some deployments, the master only gets a /30 which isn't going to allow you to run very many pods.
这篇关于在Kubernetes主节点上运行用户Pod是否存在问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!