Kubernetes Platform Design Considerations for Tanzu Part 5: Security
The final blog post in this series is about security.
All Tanzu platform versions support vanilla-upstream Kubernetes, as as such many of the recommendations coming from the standard distribution.
The first recommendation here is to first look at security as layers:
In regards to the "Cloud" layer for the public clouds, they do the infrastructure hardening and patching for you. If your Cloud provider is vSphere, you should follow the vSphere platform hardening recommendations, which can be found here:
A more detailed security guide can be found here: https://kubernetes.io/docs/concepts/security/overview/
In addition to these, here are some other considerations ( in no particular order):
Anti-Virus and EndPoint Protection
Access control lists
Separation of IT Governance/Information Security and Security Operations
Identity and Access Management/Directory Services/Kerberos/LDAP
Security Event Monitoring
Security Incident Management
Kubernetes only provides the basic security measures, which leaves the advanced security monitoring and compliance enforcement to admins. Fortunately, there are a plethora of third-party tools available that help secure your Kubernetes stack.
Two popular benchmarking tools are Kube-hunter & Kube-Bench:
I hope that some of this information was useful and thought provoking. These posts are by no means an end-all for any of these topics, but more an exercise on things to think about when designing new platforms. If you have any questions or comments, please feel free to reach out!