I just deleted 1,372 disks from Google cloud and 7 project spaces.
-
Scott Williams 🐧replied to Taggart :donor: last edited by
@mttaggart @Viss @arichtman I'm in favor of securing on prem stuff as if it were public. I mean, definitely do network segmentation and all, but don't not harden/encrypt things just because you are behind a NAT.
-
@vwbusguy @mttaggart @arichtman thats a good posture to maintain - but the topography as it exists today is basically "if you use oldschool networking techniques, like a hardware firewall for example, it reduces the risk of whole classes of bugs, simply because the list of possible attackers goes from 'anybody on the internet' to 'only people in the LAN' "
-
Scott Williams 🐧replied to Scott Williams 🐧 last edited by [email protected]
@mttaggart @Viss @arichtman I think Viss has an absolutely valid point that people often don't secure their public cloud stuff as if it were public, either.
-
-
@Viss @vwbusguy @mttaggart yea that's (ime) generally good practice for cloud clusters too. All nodes in private subnets, use API gateways or select nodes as DMZ
-
@arichtman @vwbusguy @Viss @mttaggart most people I know using Istio use it for one feature, that's it.
-
Scott Williams 🐧replied to Scott Williams 🐧 last edited by
@Viss @mttaggart @arichtman For what it's worth, I'm also the kind of guy to be redundant with firewall policy and use Ansible to setup firewall rules on the host for things that are also done at the network firewall level. Sometimes people take for granted that layer2 stuff doesn't generally go through the network firewall policy.
-
@vwbusguy @mttaggart @Viss our shit's secured about as well as your garden shed. Despite an active interest in InfoSec I had to relax my anus about it cause if the business isn't going to commit resources and or to a holistic effort then it's just my cardiologist billing benefitting from the stress.
-
@arichtman @mttaggart @Viss The trick is improving security and convenience at the same time by having it as part of your architecture for your automations from the get go. If you make your more secure stuff also more easy to implement, more people will buy into it.
-
@vwbusguy @mttaggart @arichtman as a dude who has permanent neck/back issues because of a boss i had at twitter, i can tell you first hand: if youre experiencing actual physical manifestations of stress at work, fix it asap, or quit - because if that shit tips over, theres no control-z.
-
@Viss @arichtman @mttaggart I'm more bothered by the fact that k8s secrets objects aren't actually encrypted (they're just base64 encoded) than scoped injection by env.
The Twelve-Factor App
A methodology for building modern, scalable, maintainable software-as-a-service apps.
(12factor.net)
-
Scott Williams 🐧replied to Scott Williams 🐧 last edited by
@Viss @arichtman @mttaggart This is especially concerning given that most k8s deployments don't have any kind of RBAC setup at all. The gears are there for it, but few (Openshift and Rancher being notable exceptions) implement it.
-
@vwbusguy @Viss @mttaggart yea that's read to me like a `TODO` that's disgustingly overdue. Either implement something or add the extension API points. The hacks that are the secrets CSI driver or external-secrets operator are not good enough imho
-
@vwbusguy @arichtman @mttaggart one time i made a very attractive lady literally snotlaugh by saying "kubernetes appears to have been invented to solve a litany of problems that nobody actually appears to have"
-
@Viss @vwbusguy @mttaggart from the documentary it was basically shared to kill competition. Not exactly an auspicious start. It's also born of Google Borg which itself is presumably of requirements that afflict barely any other enterprises. Using kubernetes is not that far off saying "well Airbus use ramjet turbines so our hatchback coupe should"
-
@arichtman @Viss @mttaggart Istio is absolute overkill for most setups. The overhead is insane. If you want to keep things simple, use the Wireguard backend for flannel and let cert-manager autoprovision TLS for everything you deploy.
-
Scott Williams 🐧replied to Max Effort last edited by [email protected]
@kubefred @arichtman @Viss @mttaggart If it's strictly for network policy, calico is probably more practical.
Istio can do some really cool stuff for securing cross cluster Kubernetes traffic, but it's still a ton of overhead. There's also submariner for doing that more simply.
-
@vwbusguy @Viss @mttaggart work-wise my hands are more tied as we're EKS. Home-wise I'm banning cillium and just leaving east-west traffic alone. If you're in my shit, you're in my shit. I'll get to securing when I consider anything prod grade and that means backups, DR, monitoring etc
-
@arichtman @Viss @mttaggart Why select nodes as dmz when you can put a proxy in front of it and only expose what you really intend to?
-
@vwbusguy @Viss @mttaggart we don't do that but in cases like MetalLB or for arbitrary TCP routing it may be required.