fe59cae6 cloud native day defense in depth

Defense in Depth: Securing your new Kubernetes cluster from the challenges that lurk within


In the greater Montreal area? Come see me speak tomorrow at Cloud Native Day.

The abstraction layers of ‘container’ and ‘helm’ etc often make people not think about the security issues. I run ‘helm install X’ or ‘docker build’. That in turn imports many things which get delivered into my environment.

Containers are not a (strong) security barrier. We often think about security as a Boolean (outside bad, inside good). Here I will talk about ‘Defense in Depth’: assuming that bad things are already in, and the steps we take to harden the environment.

  • service mesh
  • logging
  • network policy
  • reduction in privilege (de-root, de-privilege)
  • rbac, roles
  • understanding the upstream risk, quantifying, controlling
  • read-only filesystems
  • distroless

And I’ll show a simple check list of activities you can do during your DevOps cycle that won’t change your cost (much).

I will focus on Kubernetes environment, contrasting Helm (+Tiller) versus Kustomize, but this is applicable to other environments.