The final blog post in this series is about security.
All Tanzu platform versions support vanilla-upstream Kubernetes, as as such many of the recommendations coming from the standard distribution.
The first recommendation here is to first look at security as layers:
In regards to the "Cloud" layer for the public clouds, they do the infrastructure hardening and patching for you. If your Cloud provider is vSphere, you should follow the vSphere platform hardening recommendations, which can be found here:
A more detailed security guide can be found here: https://kubernetes.io/docs/concepts/security/overview/
In addition to these, here are some other considerations ( in no particular order):
Compliance
Web Proxy
Microsegmentation
DMZ
RBAC
Security Zones
Anti-Virus and EndPoint Protection
Data Encryption
Access control lists
Identity Management
Configuration compliance
Port Security
IPSec/SSL VPNs
SSL Security/PKI
Certificate Management
Physical Security
Security Testing
Separation of IT Governance/Information Security and Security Operations
Identity and Access Management/Directory Services/Kerberos/LDAP
Security Event Monitoring
Restricted Networks
Security Incident Management
Security Benchmarking
Kubernetes only provides the basic security measures, which leaves the advanced security monitoring and compliance enforcement to admins. Fortunately, there are a plethora of third-party tools available that help secure your Kubernetes stack.
Two popular benchmarking tools are Kube-hunter & Kube-Bench:
I hope that some of this information was useful and thought provoking. These posts are by no means an end-all for any of these topics, but more an exercise on things to think about when designing new platforms. If you have any questions or comments, please feel free to reach out!
Comments