SELinux is Security-Enhanced Linux
it provides a mechanism for supporting access control security policiesSELinux is a set of kernel modifications and user-space tools that have been added to various Linux distros.
The 'root' user by default owns the processes spawned by a container are run.
secgroup limits the disk quota.
Security Issue
Rotate your join-token for both worker and manager when there is a suspicion that someone might have got access to the token for adding managers to the cluster.
Secretes are immutable in a docker swarm cluster. They cannot be updated sof if you want to modify the secret then you have to create a new secret file and update that to the existing service.
step 1: First we need to Create new secret,
step 2: Attach the newly created secret with an update option the service to use this new secret.
step 3: The Service resart may require - docker swarm cluster would take car of that
step 4: and delete the old secret
docker service update --help |grep secret
--secret-add secret Add or update a secret on a service
--secret-rm list Remove a secret
secrets and configs are encrypted during transit and at rest in a docker swarm.
Configs operate in a similar way to secrets, except that they are not encrypted at rest and are mounted directly into the container’s filesystem without the use of RAM disks. Configs can be added or removed from a service at any time, and services can share a config.
The default location of secrets inside a Docker container '/run/secrets/'. The default locaiton of a config file when using Docker config '/'.
1 comment:
Post a Comment