Month: May 2020

Kubernetes security

Kubernetes is a Platform-as-a-Service (PAAS) similar to Cloud Foundry. It has more a centralized control plane compared to Cloud Foundry.

A threat matrix for Kubernetes –

From RSA’20, a talk on The future of Kubernetes attacks –

Coinbase: Why Kubernetes is not part of our stack makes these points

  • it needs a full-time compute team to maintain
  • securing it is neither trivial nor well understood. SPIFFE, SPIRE, Envoy, Istio, OPA, service mesh are a few of the technologies.

This blog links to –

Another similar viewpoint –

A counterpoint to the Coinbase blog –

Scratch notes:

K8S is based on a Controller pattern:

  • Resources capture the desired state.
  • Current state is kept centralized in etcd, a distributed key-value store (similar to Consul).
  • Controllers reconcile current state with desired state.

Pod is a top level resource, is the smallest deployment unit, and is a group of one or more containers described by a yaml file, similar to docker-compose.yml .

K8S Operator is a kind of resource manager, for Custom resources.

Spinnaker – Continuous Delivery platform that itself runs on k8s as a set of pods which can be scaled up

kubectl cheat sheet:

An article on cloud security