• William B

Kubernetes Platform Design Considerations for Tanzu Part 5: Security

The final blog post in this series is about security.


All Tanzu platform versions support vanilla-upstream Kubernetes, as as such many of the recommendations coming from the standard distribution.


The first recommendation here is to first look at security as layers:

In regards to the "Cloud" layer for the public clouds, they do the infrastructure hardening and patching for you. If your Cloud provider is vSphere, you should follow the vSphere platform hardening recommendations, which can be found here:


VMware vSphere Security Configuration Guide 7 - Guidance - 701-20210210-01
.pdf
Download PDF • 245KB

VMware vSphere Security Configuration Guide 7 - Controls - 701-20210210-01
.xlsx
Download XLSX • 55KB

A more detailed security guide can be found here: https://kubernetes.io/docs/concepts/security/overview/


In addition to these, here are some other considerations ( in no particular order):


  • Compliance

  • Web Proxy

  • Microsegmentation

  • DMZ

  • RBAC

  • Security Zones

  • Anti-Virus and EndPoint Protection

  • Data Encryption

  • Access control lists

  • Identity Management

  • Configuration compliance

  • Port Security

  • IPSec/SSL VPNs

  • SSL Security/PKI

  • Certificate Management

  • Physical Security

  • Security Testing

  • Separation of IT Governance/Information Security and Security Operations

  • Identity and Access Management/Directory Services/Kerberos/LDAP

  • Security Event Monitoring

  • Restricted Networks

  • Security Incident Management

Security Benchmarking


Kubernetes only provides the basic security measures, which leaves the advanced security monitoring and compliance enforcement to admins. Fortunately, there are a plethora of third-party tools available that help secure your Kubernetes stack.


Two popular benchmarking tools are Kube-hunter & Kube-Bench:


https://github.com/aquasecurity/kube-hunter

https://github.com/aquasecurity/kube-bench


I hope that some of this information was useful and thought provoking. These posts are by no means an end-all for any of these topics, but more an exercise on things to think about when designing new platforms. If you have any questions or comments, please feel free to reach out!



159 views

Recent Posts

See All