Stop replication through kubernetes

6/4/2021

I want to deploy a product on a client's server using Kubernetes. My product has 4 components. Mainly I am concerned about one only .i.e token_service_api which produces a token through which clients can use other components. let's suppose I have provided them with 4 images of 4 components. And every container from token_service_api image can produce 1 million tokens. The goals I want to achieve are

  • My one image of token_service_api can produce 1 million tokens. If a client want to deploy 2 or 4 containers of token_service_api image for load balancing purposes how can I keep count of how many token have been generated, if they use different databases.

  • Secondly they will have images. If they deploy a totally separate Kubernetes cluster, they will again use the infinite tokens. Is there a way to make images use one or two times only and can I stop them from committing a container.

Up till now I have one solution that every token_service_api will request the main component that way I will know how many containers are up.

P.S inbound and outbound traffic traffic of the server will be closed.

-- mian obaid
docker
kubernetes
ubuntu

1 Answer

6/4/2021

Kubernetes doesn't have built-in option, other than Volumes, to save Pod's state, also no built-in option to restrict Pods to be created with certain image.
However, you can indroduce such feature on your custom cluster using Operators and custom Admission Controllers.

From the image perspective you can deny access to the image repository from unknown IPs or use authenticated access to the registry, but that doesn't stop anyone to run more replicas from the image that already exist in the cluster.


Now, for the workarounds:

  1. You can use shared volume or any kind of storage service to report generated tokens from token_service_api pods. Alternatively you can scrape number of tokens as a metric by service like Prometheus.
  2. You can introduce some kind of license key to be required by the image to run properly or a service like KMS to restrict unauthorized instances of the application.
-- p10l
Source: StackOverflow