# Defense in Depth: Securing your new Kubernetes cluster from the challenges that lurk within

In the greater Montreal area? Come see me speak tomorrow at [Cloud Native Day](http://www.cloudnativeday.ca/en/schedule/).

The abstraction layers of 'container' and 'helm' etc often make people not think about the security issues. I run 'helm install X' or 'docker build'. That in turn imports many things which get delivered into my environment.

Containers are not a (strong) security barrier. We often think about security as a Boolean (outside bad, inside good). Here I will talk about 'Defense in Depth': assuming that bad things are already in, and the steps we take to harden the environment.

- service mesh
- logging
- network policy
- reduction in privilege (de-root, de-privilege)
- rbac, roles
- understanding the upstream risk, quantifying, controlling
- read-only filesystems
- distroless

And I'll show a simple check list of activities you can do during your DevOps cycle that won't change your cost (much).

I will focus on Kubernetes environment, contrasting Helm (+Tiller) versus Kustomize, but this is applicable to other environments.

https://www.youtube.com/watch?v=IQpWIIVHwGo