In the greater Montreal area? Come see me speak tomorrow at Cloud Native Day.

The abstraction layers of ‘container’ and ‘helm’ etc often make people not think about the security issues. I run ‘helm install X’ or ‘docker build’. That in turn imports many things which get delivered into my environment.

Containers are not a (strong) security barrier. We often think about security as a Boolean (outside bad, inside good). Here I will talk about ‘Defense in Depth’: assuming that bad things are already in, and the steps we take to harden the environment.

  • service mesh
  • logging
  • network policy
  • reduction in privilege (de-root, de-privilege)
  • rbac, roles
  • understanding the upstream risk, quantifying, controlling
  • read-only filesystems
  • distroless

And I’ll show a simple check list of activities you can do during your DevOps cycle that won’t change your cost (much).

I will focus on Kubernetes environment, contrasting Helm (+Tiller) versus Kustomize, but this is applicable to other environments.

Share This

Share this post with your friends!