Skip to main content

Kubernetes Security for Poolside Deployment on AWS

This document outlines the Kubernetes security configurations implemented as part of the Poolside self-managed deployment solution. These configurations are designed to provide appropriate access controls, ensure availability, and protect sensitive information.

Security Considerations

  • All service accounts follow the principle of least privilege
  • Secrets are immutable to prevent modification after creation
  • Pod Disruption Budgets ensure high availability during maintenance
  • Deployments use rolling update strategies to prevent service interruptions
  • Clear separation of resources between namespaces

Role-Based Access Control (RBAC)

Poolside deployment implements RBAC to control access to Kubernetes resources, following the principle of least privilege.

Core API Role

Component: Core API service account
Namespace: poolside-models
Permissions:
  • Apps API Group: Create, read, update, and delete deployments
  • Core API Group: Manage pods, services, secrets, configmaps, service accounts, and pod logs
  • Policy API Group: Manage pod disruption budgets
  • Batch API Group: Manage jobs
Purpose: Enables the Core API component to orchestrate model inference deployments and manage associated Kubernetes resources

Role Binding

Component: Core API service account
Configuration:
  • Binds the Core API role to the Core API service account
  • Ensures that only the Core API service account can perform the authorized actions
Purpose: Securely associates permissions with the specific service identity

Service Accounts

Poolside deployment creates dedicated service accounts for different components to provide identity-based access control.

Inference Service Account

Component: Inference pods
Namespace: poolside-models
Purpose: Provides identity for model inference pods

Core API Service Account

Component: Core API pods
Namespace: poolside (core namespace)
Purpose: Provides identity for the Core API component

Web Assistant Service Account

Component: Web Assistant pods
Namespace: poolside (core namespace)
Purpose: Provides identity for the Web Assistant component

Secret Management

Poolside deployment secures sensitive information through Kubernetes Secrets.

Database Password Secret

Component: Core API
Type: Opaque
Content: PostgreSQL database password
Configuration:
  • Immutable (cannot be modified after creation)
  • Referenced by environment variables in Core API pods
Purpose: Securely stores the database credentials needed by application components

Availability Controls

Poolside deployment implements controls to ensure service availability during voluntary disruptions.

Pod Disruption Budgets

Component: Core API and Web Assistant
Configuration:
  • Core API: Minimum 75% pods must remain available during disruptions
  • Web Assistant: Minimum 50% pods must remain available during disruptions
Purpose: Prevents cluster maintenance operations from causing service outages by maintaining minimum service availability

Load Balancer Security

The AWS Load Balancer Controller manages ingress to Kubernetes services. Component: AWS Load Balancer Controller
Implementation: Deployed via Helm chart in dedicated namespace
Authentication: Uses IAM Roles for Service Accounts (IRSA)
Configuration:
  • Service account with limited permissions
  • Integration with AWS EKS OIDC provider
  • Cluster-specific configuration
Purpose: Securely manages AWS Application Load Balancers for external traffic

Deployment Security Measures

Components: Core API and Web Assistant
Configuration:
  • Rolling update strategy (25% max surge, 25% max unavailable)
  • Health checks via liveness and readiness probes
  • Topology spread constraints for high availability
  • Service account identity for each deployment
Purpose: Ensures continuous service availability during updates while maintaining proper access controls