When using secure
data-fabric
clusters with the Kubernetes Interfaces for Data Fabric, you must generate tickets for
your containers. Here are some best practices:
- Create a different user for each container.
- To avoid frequent
renewals, use long-lived user tickets or servicewithimpersonation
tickets. If you refresh or update a ticket, you must restart your
containers.
- If you use an impersonation ticket, it is CRITICAL that you use security contexts in the
pod definitions to avoid a misbehaving container impersonating all user IDs. For
restrictions that apply to the use of impersonation tickets, see How Impersonation Works and maprlogin.
- Match the security context
runAsUser: ID and fsGroup:
group to the ID or group used to create the ticket.
Here is an example of a pod spec that specifies a security context:
apiVersion: v1
kind: Pod
metadata:
name: test-secure
namespace: mapr-examples
spec:
securityContext:
runAsUser: 1000
fsGroup: 2000