Based in San Francisco Bay Area, Securesql is a blog by John Menerick. His insights dissect complex systems, offering a masterclass in cyber guardianship through expert analysis and cutting-edge protective strategies.

Kubernetes Clusters

John Menerick

Overview

As mentioned previous, there exists two different 30,000 ft views to hardening Kubernetes.

  • Securing the clusters’ components

  • Securing the workloads within the clusters

Governance is the name of the game. Resource quotas & limits assigned to namespaces will not only handle run away workloads, injected building block policies, but also minimize the downside to various threats. For instance, allowing only slow egress network connections with related limited CPU and memory will only allow so many megabytes of data per hour to be exfiltrated vs. terabytes per hour in an ungoverned cluster. Operations will care more about these settings as they are responsible for ensuring the clusters and workloads operate like water out of a tap - turn on the cluster, deploy the workload, and the workload just magically exists. No need to think about it. One will want to use Operations tooling to keep an eye on what is running in the clusters but also what is deployed.

Kubernetes Information Security Practices

What is a modern, dynamic service and its' building blocks?