Kubernetes Immutable Infrastructure

CozyFex included in kubernetes k8s orchestration

2021-07-10 136 words One minute

Contents

Mutable Infrastructure

Immutable Infrastructure

Rolling Update

In Kubernetes, it’s Rolling Update.

Ensure Immutability of Containers at Runtime

PodSecurityPolicy

In Kubernetes, we can use PodSecurityPolicy for that.

`nginx.yaml`

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: nginx
  name: nginx
spec:
  containers:
    - image: nginx
      name: nginx
      securityContext:
        readOnlyRootFilesystem: true
        privileged: true
      volumeMounts:
        - name: cache-volume
          mountPath: /var/cache/nginx
        - name: runtime-volume
          mountPath: /var/run
  volumes:
    - name: cache-volume
      emptyDir: { }
    - name: runtime-volume
      emptyDir: { }

`psp.yaml`

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false
  readOnlyRootFilesystem: true
  runAsUser:
    rule: RunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny