Cluster controller
STOIX utilizes a lightweight controller running in your cluster to easily manage your jobs. It makes sure jobs run when intended and reports metadata back so you can access information in the dashboard in a secure way.
Communication with STOIX
In order to receive and send updates to the dashboard, the controller securely communicates with STOIX. All communication is encrypted during transit and the controller uses a token for authentication towards the dashboard. The token is included in the Kubernetes configuration file downloaded when creating the cluster and stored securely as a secret in the cluster. Whenever a cluster is removed, that token is invalidated.
Permissions
STOIX takes steps to limit any unnecessary access to increase security and transparency on what goes on in a customer cluster. The controller has access to act with the jobs and get basic information on cluster health. The controller cannot act on anything outside it’s domain nor read any secrets existing in the cluster.
Kubernetes has very detailed role-based access control (RBAC) for what can be done in a cluster. The Kubernetes configuration provided by STOIX when creating a new cluster contains details on what the controller is allowed to do in the cluster. Most permissions are restricted to a specific “stoix” namespace to limit the controller’s access to other components in the cluster. The following is a clarification on the access provided to the controller:
- Get, list and watch nodes as well as nodes statistics (metrics.k8s.io) in the cluster in order to report CPU, memory and storage statistics to the dashboard Clusters page.
- Create, delete, get, list, patch, update and watch pods (jobs) in the stoix namespace.
- Get and list job logs (pods/log) in the stoix namespace.
- Get, list and watch stoix specific CRDs used for configuring jobs as part of CI/CD flow.