Category: cloud

Kubernetes security

Kubernetes is a Platform-as-a-Service (PAAS) similar to Cloud Foundry. It has more a centralized control plane compared to Cloud Foundry.

A threat matrix for Kubernetes –

From RSA’20, a talk on The future of Kubernetes attacks –

Coinbase: Why Kubernetes is not part of our stack

  • it needs a full-time compute team
  • securing it is not trivial and well understood. SPIFFE, SPIRE, Envoy, Istio, OPA, service mesh a few of the technologies.

It links to –

Another similar viewpoint –

A counterpoint to the Coinbase blog –

Scratch notes:

K8S is based on a Controller pattern:

  • Resources capture the desired state.
  • Current state is kept centralized in etcd, a distributed key-value store (similar to Consul).
  • Controllers reconcile current state with desired state.

Pod is a top level resource, is the smallest deployment unit, and is a group of one or more containers described by a yaml file, similar to docker-compose.yml .

K8S Operator is a kind of resource manager, for Custom resources.

Spinnaker – Continuous Delivery platform that itself runs on k8s as a set of pods which can be scaled up

kubectl cheat sheet:

An article on cloud security

Aviatrix Controller on AWS for secure networking

These are some notes from a talk by Aviatrix last week. Many customers get started with Aviatrix orchestration system for deploying AWS Transit Gateway (TGW) and Direct Connect. The transit gateway is the hub gateway that connects multiple VPCs with an on-premise link, possibly over Direct Connect. The Aviatrix product can then deploy and manage multiple VPCs and the communication between them, directing which VPC can talk to which other VPC. It controls the communication by simply deleting the routes.

The advanced transit controller solution is useful for multiple regions, to manage the communication between regions. Another aspect is there are high speed interconnects between the cloud providers and Aviatrix builds an overlay that bridges between public clouds. Multi-account communication and secure communication between the networks using segmentation can be enabled.

According to Aviatrix, AWS’s motto is go build, and do it yourself, it is designed for the builders. But when you go beyond 3 VPCs to 3000 VPCs, one needs a solution to manage the routes in an automated manner. This is the situation for many larger customers. For smaller ones where there are Production, Development and Edge/On-premise network components to manage it also finds use.

Remote user VPN is another use case. Not only can one VPN in and get to all the VPCs, but specify which CIDR they can get to and other restrictions.

WebServices Composition with AWS

Some interesting diagrams on composition of a device data processing pipeline with AWS are at –

The services listed are:
Amazon Cognito: Identity and Security. Gets token with role for API access by a certain user.
Amazon Kinesis: Massive data ingestion. Uses token auth, but token signing can be a easiest.
AWS Lambda: Serverless Data Compute. Supposed to save on EC2 instance costs ( at the expense of lock-in ).
Amazon S3: Virtually unlimited storage. This is what really makes AWS tick.
Amazon Redshift: Petabyte-scale data analysis
It does not say what data goes to S3 and what data goes to the database.
On Redshift, here’s a comment from Nokia:” where their volume of data “literally broke the database”, prompting them to look for more scalable solutions.
There is a tension between “servers” and “services”, which goes back to IAAS vs PAAS distinction. PAAS can be faster to develop with reduced focus on server maintenance. However the number of PAAS concepts to deal with is neither small nor particularly inviting, as instead of a single server, one now has to deal with multiple services, each has to be authenticated, priced,  guarded for possible misuse and each has the potential for surprises. A key to simplicity is how composable the services are.