Shubham More's Blog

Kubernetes Storage and Kubernetes Security

Shubham More's photo
Shubham More
·

4 min read

Table of contents

Kubernetes Storage:

Persistent volume:

A persistent volume is a cluster-wide storage resource. It is a piece of networked storage that has been provisioned for use by applications running in the cluster. The PV is created separately from the Pod that will use it, and the Pod can refer to the PV through a PVC. When a Pod is deleted, the PV can still retain the data it holds and can be reused by other Pods.

Persistent Volumes can be created from a variety of storage solutions, including network-attached storage (NAS), local storage, cloud storage, or any other storage system that has a CSI driver. Kubernetes supports many types of storage including file, block and object storage.

Persistent volume claim:

In Kubernetes, a Persistent Volume Claim (PVC) is a request for a specific amount of storage from a specific storage class. It is used by a user to request access to a Persistent Volume (PV), which is a piece of networked storage that has been provisioned for use by applications running in the cluster.

The PVC abstraction allows for dynamic provisioning, where storage can be automatically allocated as needed based on demand.

Once a PVC is created, Kubernetes attempts to find a suitable PV that matches the requested attributes. If a matching PV is found, the PVC is bound to the PV, and the user can use the storage through the mounted volume.

If no matching PV is available, and if the PVC is created with a StorageClass, Kubernetes will dynamically provision a new PV for the PVC based on the specified StorageClass. This enables users to request storage on-demand, without having to manually create PVs.

Storage Class:

StorageClass is a way to define different classes of storage in the cluster, such as the type of storage, its performance characteristics, and so on. StorageClasses allow administrators to provision storage dynamically and provide users with a way to request storage based on their specific requirements.

When a PVC is created, Kubernetes looks for a StorageClass that matches the user's requirements. If a matching StorageClass is found, Kubernetes dynamically provisions a Persistent Volume based on the StorageClass parameters. If no matching StorageClass is found, the PVC remains pending until a suitable StorageClass is created.

StatefulSet:

StatefulSets are used for stateful applications that require stable network identities and persistent storage. StatefulSets provide several features that are not available with traditional Deployments, such as stable network identities, ordered Pod deployment, persistent storage, rolling updates, and ordered Pod termination, making it easier to manage and scale stateful applications in a Kubernetes cluster.

Kubernetes Security:

Role-Based Access Control (RBAC):

Role-Based Access Control (RBAC) is a security mechanism used in Kubernetes to control access to resources based on the roles and responsibilities of individual users within an organization.

With RBAC, administrators can grant users access to only the resources they need, reducing the risk of accidental or malicious modifications to the cluster.

Pod Security Policies(PSPs):

Pod Security Policies (PSPs) are a Kubernetes feature that allows administrators to control the security settings of a cluster by defining a set of rules that determine the security context for Pods running on the cluster.

PSPs are implemented using a set of Kubernetes objects that are created and managed by administrators.

  1. PodSecurityPolicy: This object defines a set of rules that apply to all Pods running on the cluster. These rules might include settings for the container runtime, volume mounting, and network access.

  2. RoleBinding: This object associates a PodSecurityPolicy with a set of users or groups, granting them permission to create, update, or delete Pods that comply with the PodSecurityPolicy.

  3. ClusterRoleBinding: This object associates a PodSecurityPolicy with a set of users or groups across the entire cluster, granting them permission to create, update, or delete Pods that comply with the PodSecurityPolicy.

Secrets:

Secrets are a type of Kubernetes object that allows you to store and manage sensitive information, such as passwords, API keys, and certificates.

Kubernetes provides two types of secrets:

  1. Opaque Secrets: This is the most basic type of secret in Kubernetes. It simply stores a collection of key-value pairs, where both the key and value are arbitrary strings. Opaque secrets can be used to store passwords, API keys, or any other sensitive data.

  2. TLS Secrets: This type of secret is used to store TLS certificates and private keys. TLS secrets are used to secure communication between components in a Kubernetes cluster, such as between a web server and a load balancer.

Transport Layer Security(TLS):

TLS is widely used to secure communication on the internet, including web browsing, email, and other types of network communication. In Kubernetes, TLS is often used to secure communication between components of a cluster, such as between a web server and a load balancer. Kubernetes provides support for configuring TLS through the use of Kubernetes objects such as secrets, ingress, and service objects.

Devops#KubeWeekChallenge #kubeweekTrainWithShubhamKubernetes