Kubernetes is a Platform-as-a-Service (PAAS) similar to Cloud Foundry. It has more a centralized control plane compared to Cloud Foundry.
A threat matrix for Kubernetes – https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
From RSA’20, a talk on The future of Kubernetes attacks – https://youtu.be/CH7S5rE3j8w
Coinbase: Why Kubernetes is not part of our stack – https://blog.coinbase.com/container-technologies-at-coinbase-d4ae118dcb6c makes these points
- it needs a full-time compute team to maintain
- securing it is neither trivial nor well understood. SPIFFE, SPIRE, Envoy, Istio, OPA, service mesh are a few of the technologies.
This blog links to – https://k8s.af/
Another similar viewpoint – https://pythonspeed.com/articles/dont-need-kubernetes/
A counterpoint to the Coinbase blog – https://blog.kumina.nl/2020/07/in-response-to-container-technologies-at-coinbase/
K8S is based on a Controller pattern:
- Resources capture the desired state.
- Current state is kept centralized in etcd, a distributed key-value store (similar to Consul).
- Controllers reconcile current state with desired state.
Pod is a top level resource, is the smallest deployment unit, and is a group of one or more containers described by a yaml file, similar to docker-compose.yml .
K8S Operator is a kind of resource manager, for Custom resources.
Spinnaker – Continuous Delivery platform that itself runs on k8s as a set of pods which can be scaled up
kubectl cheat sheet:
An article on cloud security https://medium.com/xm-cyber/having-fun-with-cloud-services-e281f8a7fe60