cluster-api-provider-nested
aws-imds-packet-analyzer | cluster-api-provider-nested | |
---|---|---|
2 | 6 | |
96 | 294 | |
- | 0.0% | |
5.0 | 4.7 | |
28 days ago | 27 days ago | |
Python | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
aws-imds-packet-analyzer
-
Amazon EC2 Enhances Defense in Depth with Default IMDSv2
I'm the technical lead for IMDS. Without an IMDS, the alternative is usually hard-coding long-lived credentials, which is much worse.
We've looked a few times at different ways that IMDS could vend different credentials to different user-ids. We documented how to use local firewall rules, which you've linked to. This gives single uid restrictions, similar to filterd. We also have a BPF based tracer tool, https://github.com/aws/aws-imds-packet-analyzer which can monitor which user ids and processes are calling IMDS (and which version they are using).
Our next thought was to expose IMDS as a filesystem. That way ordinary POSIX filesystem permissions could be used to control which user ids could read which credentials, and it would even work on Windows. But our research found that security issues (in applications and libraries that customers run) that grant local file reading privileges are even more common than SSRF issues (in part this because many SSRF issues allow "file://" urls, so they become a subset).
We've looked at interfacing with the kernel keyring and the TPM 2.0 interface (and we now have Nitro TPM) ... but both are difficult to call to user space. The latter doesn't get user ID granularity, and the former is hard to coordinate with from the outside for revoking and rotating credentials.
- GitHub - aws/aws-imds-packet-analyzer: traces TCP interactions with the EC2 Instance Metadata Service (IMDS)
cluster-api-provider-nested
-
Amazon EC2 Enhances Defense in Depth with Default IMDSv2
Kubernetes has a lot of limitations from a multi tenancy perspective.
It's functional, but I think it's not as polished as the rest of Kubernetes which is why Kubernetes has a multi tenancy SIG that spawned the hierarchical namespace controller (https://github.com/kubernetes-sigs/hierarchical-namespaces) and virtual clusters (https://github.com/kubernetes-sigs/cluster-api-provider-nest...)
-
Multi-tenancy in Kubernetes
Virtual Cluster (wg-multitenancy)
-
Any projects to run Kubernetes inside Kubernetes?
Also https://github.com/kubernetes-sigs/cluster-api-provider-nested, similar approach to vcluster, but part of the K8s project.
- cluster-api-provider-nested/virtualcluster at main ยท kubernetes-sigs/cluster-api-provider-nested
- Kubernetes-in-Kubernetes and the WEDOS PXE bootable server farm
-
Introduction to Multi-Tenancy in Kubernetes
Approach C This approach provides a way to implement hard isolation among Kubernetes tenants who have no trust between them. This provides segregated master plane components for each tenant by creating a mini virtual cluster on the super Kubernetes cluster. Admins can also create custom resources in those virtual clusters as well. This is provided by projects like VirtualCluster and vCluster.
What are some alternatives?
hierarchical-namespaces - Home of the Hierarchical Namespace Controller (HNC). Adds hierarchical policies and delegated creation to Kubernetes namespaces for improved in-cluster multitenancy.
vcluster - vCluster - Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.
cluster-api-provider-kubevirt - Cluster API Provider for KubeVirt
kamaji - Kamaji is the Hosted Control Plane Manager for Kubernetes.
cluster-api-provider-openstack
cluster-api-provider-vsphere
cluster-api-provider-aws - Kubernetes Cluster API Provider AWS provides consistent deployment and day 2 operations of "self-managed" and EKS Kubernetes clusters on AWS.
cluster-api-provider-azure - Cluster API implementation for Microsoft Azure
cluster-api-provider-packet - Cluster API Provider Packet (now Equinix Metal)
kind - Kubernetes IN Docker - local clusters for testing Kubernetes
tink - Talos in Kubernetes