Reputation: 535
Isolating multiple mounted user-space file systems on the running microservice
My situation: I have a microservice running Ubuntu 18.04 on GKE for evaluating the user's code. Every time, a user logs into her project, the service receives the user ID and project ID and it mounts a correct GCS bucket through a user-space file system based on these IDs. This service can be accessed by multiple users at the same time.
My goal: How can I achieve user isolation in a way that each user "lives" in their own filesystem and can't "see" other mounted file systems?
Ideas:
- Run a docker container inside a docker container
- Start pods on demand every time a new user logs in
- Isolate users on the OS level
Upvotes: 1
Views: 63
Answers (1)
Reputation: 2299
What about to let your application to spawn a Pod for each user using SecurityContext?
You could specify fsGroup (from the doc: volumes that support ownership management are modified to be owned and writable by the GID specified in fsGroup) in order to enhance the segregation you want.
The challenging part is the clean-up of old Pods no more used, so it must be supervised by your application or, in case of logout (I guess since I don't have so many details about your architecture) performs a clean-up taking advantages of the label system provided by Kubernetes.
Upvotes: 1
Related Questions
- Share filesystem across containers in a pod
- Proper way for pods to read input files from the same persistent volume?
- Multiple Persistent Volumes with the same mount path Kubernetes
- Kubernetes how different mountPath share data in single pod
- Kubernetes shared File System across Pods
- Google cloud platform (GCP): mounting multiple volumes kubernetes
- Restricting Kubernetes pod to one process
- Where to store files in GKE container?
- Understanding usability of volumes
- Where to place kubernetes and dockerfiles