Add a linux-security doc entry
Signed-off-by: Itamar Holder <iholder@redhat.com>pull/51303/head
Itamar Holder
parent
bec9d0d50a
commit
24b1f35dfb
|
|
@ -1,10 +1,7 @@
|
|||
---
|
||||
reviewers:
|
||||
- jayunit100
|
||||
- jsturtevant
|
||||
- marosset
|
||||
- perithompson
|
||||
title: Security For Windows Nodes
|
||||
- lmktfy
|
||||
title: Security For Linux Nodes
|
||||
content_type: concept
|
||||
weight: 40
|
||||
---
|
||||
|
|
@ -17,46 +14,16 @@ This page describes security considerations and best practices specific to the L
|
|||
|
||||
## Protection for Secret data on nodes
|
||||
|
||||
On Windows, data from Secrets are written out in clear text onto the node's local
|
||||
storage (as compared to using tmpfs / in-memory filesystems on Linux). As a cluster
|
||||
operator, you should take both of the following additional measures:
|
||||
On Linux nodes, memory-backed volumes (such as [`secret`](/docs/concepts/configuration/secret/)
|
||||
volume mounts, or [`emptyDir`](/docs/concepts/storage/volumes/#emptydir) with `medium: Memory`)
|
||||
are implemented with a `tmpfs` filesystem.
|
||||
|
||||
1. Use file ACLs to secure the Secrets' file location.
|
||||
1. Apply volume-level encryption using
|
||||
[BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server).
|
||||
If you have swap configured and use an older Linux kernel (or a current kernel and an unsupported configuration of Kubernetes),
|
||||
**memory** backed volumes can have data written to persistent storage.
|
||||
|
||||
## Container users
|
||||
The Linux kernel officially supports the `noswap` option from version 6.3,
|
||||
therefore it is recommended the used kernel version is 6.3 or later,
|
||||
or supports the `noswap` option via a backport, if swap is enabled on the node.
|
||||
|
||||
[RunAsUsername](/docs/tasks/configure-pod-container/configure-runasusername)
|
||||
can be specified for Windows Pods or containers to execute the container
|
||||
processes as specific user. This is roughly equivalent to
|
||||
[RunAsUser](/docs/concepts/security/pod-security-policy/#users-and-groups).
|
||||
|
||||
Windows containers offer two default user accounts, ContainerUser and ContainerAdministrator.
|
||||
The differences between these two user accounts are covered in
|
||||
[When to use ContainerAdmin and ContainerUser user accounts](https://docs.microsoft.com/virtualization/windowscontainers/manage-containers/container-security#when-to-use-containeradmin-and-containeruser-user-accounts)
|
||||
within Microsoft's _Secure Windows containers_ documentation.
|
||||
|
||||
Local users can be added to container images during the container build process.
|
||||
|
||||
{{< note >}}
|
||||
|
||||
* [Nano Server](https://hub.docker.com/_/microsoft-windows-nanoserver) based images run as
|
||||
`ContainerUser` by default
|
||||
* [Server Core](https://hub.docker.com/_/microsoft-windows-servercore) based images run as
|
||||
`ContainerAdministrator` by default
|
||||
|
||||
{{< /note >}}
|
||||
|
||||
Windows containers can also run as Active Directory identities by utilizing
|
||||
[Group Managed Service Accounts](/docs/tasks/configure-pod-container/configure-gmsa/)
|
||||
|
||||
## Pod-level security isolation
|
||||
|
||||
Linux-specific pod security context mechanisms (such as SELinux, AppArmor, Seccomp, or custom
|
||||
POSIX capabilities) are not supported on Windows nodes.
|
||||
|
||||
Privileged containers are [not supported](/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext)
|
||||
on Windows.
|
||||
Instead [HostProcess containers](/docs/tasks/configure-pod-container/create-hostprocess-pod)
|
||||
can be used on Windows to perform many of the tasks performed by privileged containers on Linux.
|
||||
Read [swap memory management](/docs/concepts/cluster-administration/swap-memory-management/#memory-backed-volumes)
|
||||
for more info.
|
||||
Loading…
Reference in New Issue