pod2daemon enables secure communication between a Kubernetes pod and a daemon (e.g. created with a DaemonSet) running on the host. It creates a Kubernetes FlexVolume Driver type nodeagent/uds
to enable Nodeagent to verify the identity of a workload.
A Flexvolume driver type nodeagent/uds
is added to each workload and when such a workload is created, with the volume type mounted, the Nodeagent is notified by the Flexvolume driver. The workloadhandler
creates a Unix Domain Socket (UDS) per workload and then initializes the workloadAPI Grpc Server (see below). The workloadAPI Grpc server can get the credentials of the workload from the workload handler.
The code here was tested with Kubernetes version v1.22.
This is the flex volume driver that should be copied to /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds
Or you can use the provided initcontainer that copies the binary to the specified location on the node.
See nodeagent/nodeagent.yaml
make build
Outputs to bin/flexvol-<arch>
make image
See nodeagent/nodeagent.yaml
initContainer to see how the FlexVolume driver is setup.
The nodeagent.yaml
also shows how the nodeagent volumes need to be setup.
See flexvol/udsver-mount.yaml
for a sample of how a workload will setup the flexvolume.
...snip
containers:
volumeMounts:
- mountPath: /tmp/udsver
name: test-volume
volumes:
- name: test-volume
flexVolume:
driver: nodeagent/uds