Maniphest T220821

Add security sensitive nodes to our kubernetes cluster
Closed, ResolvedPublic
Actions

Description

We would like to schedule the kask session storage service on their dedicated hosts in our kubernetes cluster in order to avoid interactions with the other services. This should mitigate the case of another service being exploited on the kubernetes nodes and being able to jump to the session storage service and obtain security sensitive information.

The proposed approach has been to create a couple of VMs on our ganeti infrastructure (1 per rack row) with the required resources and instruct kask to be instantiated only there.

Details

Subject	Repo	Branch	Lines +/-
Add a dedicated=kask label to kask nodes	operations/puppet	production	+4 -0
Kubernetes node labels followup	operations/puppet	production	+20 -20
Support node labels and taints in kubelet	operations/puppet	production	+12 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T198901 Migrate production services to kubernetes using the pipeline
Resolved	akosiaris	T220401 Introduce kask session storage service to kubernetes
Resolved	akosiaris	T220821 Add security sensitive nodes to our kubernetes cluster
Resolved	ayounsi	T220822 Site: 4 VM request for kubernetes

Event Timeline

akosiaris created this task.Apr 12 2019, 1:31 PM

akosiaris triaged this task as Medium priority.Apr 12 2019, 1:36 PM

akosiaris added a subtask: T220822: Site: 4 VM request for kubernetes.

Change 504849 had a related patch set uploaded (by Alexandros Kosiaris; owner: Alexandros Kosiaris):
[operations/puppet@production] Support node labels and taints in kubelet

https://gerrit.wikimedia.org/r/504849

gerritbot added a project: Patch-For-Review.Apr 18 2019, 10:43 AM

Change 504849 merged by Alexandros Kosiaris:
[operations/puppet@production] Support node labels and taints in kubelet

https://gerrit.wikimedia.org/r/504849

Change 504897 had a related patch set uploaded (by Alexandros Kosiaris; owner: Alexandros Kosiaris):
[operations/puppet@production] Kubernetes node labels followup

https://gerrit.wikimedia.org/r/504897

Change 504897 merged by Alexandros Kosiaris:
[operations/puppet@production] Kubernetes node labels followup

https://gerrit.wikimedia.org/r/504897

ayounsi closed subtask T220822: Site: 4 VM request for kubernetes as Resolved.Apr 22 2019, 6:27 PM

kubernetes1005, kubernetes1006, kubernetes2005, kubernetes2006 added with specific taints in order to have only kask being scheduled on them. Resolving

Change 505832 had a related patch set uploaded (by Alexandros Kosiaris; owner: Alexandros Kosiaris):
[operations/puppet@production] Add a dedicated=kask label to kask nodes

https://gerrit.wikimedia.org/r/505832

Change 505832 merged by Alexandros Kosiaris:
[operations/puppet@production] Add a dedicated=kask label to kask nodes