Best Practices for Using Tickets

When using secure data-fabric clusters with the Kubernetes Interfaces for Data Fabric, you must generate tickets for your containers. Here are some best practices:
  • Create a different user for each container.
  • To avoid frequent renewals, use long-lived user tickets or servicewithimpersonation tickets. If you refresh or update a ticket, you must restart your containers.
  • If you use an impersonation ticket, it is CRITICAL that you use security contexts in the pod definitions to avoid a misbehaving container impersonating all user IDs. For restrictions that apply to the use of impersonation tickets, see How Impersonation Works and maprlogin.
  • Match the security context runAsUser: ID and fsGroup: group to the ID or group used to create the ticket.

Here is an example of a pod spec that specifies a security context:

apiVersion: v1
kind: Pod
metadata:
  name: test-secure
  namespace: mapr-examples
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 2000