Kubernetes security

Kubernetes is a Platform-as-a-Service (PAAS) similar to Cloud Foundry. It has more a centralized control plane compared to Cloud Foundry.

A threat matrix for Kubernetes – https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/

From RSA’20, a talk on The future of Kubernetes attacks – https://youtu.be/CH7S5rE3j8w

Coinbase: Why Kubernetes is not part of our stackhttps://blog.coinbase.com/container-technologies-at-coinbase-d4ae118dcb6c makes these points

  • it needs a full-time compute team to maintain
  • securing it is neither trivial nor well understood. SPIFFE, SPIRE, Envoy, Istio, OPA, service mesh are a few of the technologies.

This blog links to – https://k8s.af/

Another similar viewpoint – https://pythonspeed.com/articles/dont-need-kubernetes/

A counterpoint to the Coinbase blog – https://blog.kumina.nl/2020/07/in-response-to-container-technologies-at-coinbase/

Scratch notes:

K8S is based on a Controller pattern:

  • Resources capture the desired state.
  • Current state is kept centralized in etcd, a distributed key-value store (similar to Consul).
  • Controllers reconcile current state with desired state.

Pod is a top level resource, is the smallest deployment unit, and is a group of one or more containers described by a yaml file, similar to docker-compose.yml .

K8S Operator is a kind of resource manager, for Custom resources.



Spinnaker – Continuous Delivery platform that itself runs on k8s as a set of pods which can be scaled up

kubectl cheat sheet:


An article on cloud security https://medium.com/xm-cyber/having-fun-with-cloud-services-e281f8a7fe60

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s