EKS Control Plane Security

0

Hi,

A customer in the enterprise sector who is currently evaluating EKS. They have an internal security document and they need help answering the following questions:

  • Can you customize the AMI for the control pane nodes?

I know it is possible to build custom AMI for the worker nodes but what about the control pane? My guess is that it isn't possible as part of the managed service offering but I want to double check.

  • Can you activate AppArmor or SELinux on control pane nodes?

  • Are the K8S components (api, scheduler, etc.) containerised on the control pane and can we limit the number of processes?

For the latter part I assume the answer is no, but I'm just curious about the first part.

AWS
질문됨 4년 전752회 조회
1개 답변
2
수락된 답변

AFAIK. Q: Can you customise the AMI for the control pane nodes? Ans: No. We can't since it's managed by AWS. You are right. Q: Can you activate AppArmor or SELinux on control pane nodes? Ans: No for control plane and Yes for worker nodes i.e. pods/container -- refer slide#31 https://d1.awsstatic.com/events/reinvent/2019/REPEAT_1_Running_high-security_workloads_on_Amazon_EKS_CON334-R1.pdf Q: Are the K8S components (api, scheduler, etc.) containerized on the control pane and can we limit the number of processes? Ans: Yes the component are containerized but again we don't have access to view inside the control plane. https://www.eksworkshop.com/010_introduction/architecture/architecture_control/ https://kubernetes.io/docs/concepts/overview/components/#master-components

답변함 4년 전
profile picture
전문가
검토됨 5달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠