I just deleted 1,372 disks from Google cloud and 7 project spaces.
-
@arichtman @vwbusguy @Viss @mttaggart most people I know using Istio use it for one feature, that's it.
-
Scott Williams 🐧replied to Scott Williams 🐧 last edited by
@Viss @mttaggart @arichtman For what it's worth, I'm also the kind of guy to be redundant with firewall policy and use Ansible to setup firewall rules on the host for things that are also done at the network firewall level. Sometimes people take for granted that layer2 stuff doesn't generally go through the network firewall policy.
-
@vwbusguy @mttaggart @Viss our shit's secured about as well as your garden shed. Despite an active interest in InfoSec I had to relax my anus about it cause if the business isn't going to commit resources and or to a holistic effort then it's just my cardiologist billing benefitting from the stress.
-
@arichtman @mttaggart @Viss The trick is improving security and convenience at the same time by having it as part of your architecture for your automations from the get go. If you make your more secure stuff also more easy to implement, more people will buy into it.
-
@vwbusguy @mttaggart @arichtman as a dude who has permanent neck/back issues because of a boss i had at twitter, i can tell you first hand: if youre experiencing actual physical manifestations of stress at work, fix it asap, or quit - because if that shit tips over, theres no control-z.
-
@Viss @arichtman @mttaggart I'm more bothered by the fact that k8s secrets objects aren't actually encrypted (they're just base64 encoded) than scoped injection by env.
The Twelve-Factor App
A methodology for building modern, scalable, maintainable software-as-a-service apps.
(12factor.net)
-
Scott Williams 🐧replied to Scott Williams 🐧 last edited by
@Viss @arichtman @mttaggart This is especially concerning given that most k8s deployments don't have any kind of RBAC setup at all. The gears are there for it, but few (Openshift and Rancher being notable exceptions) implement it.
-
@vwbusguy @Viss @mttaggart yea that's read to me like a `TODO` that's disgustingly overdue. Either implement something or add the extension API points. The hacks that are the secrets CSI driver or external-secrets operator are not good enough imho
-
@vwbusguy @arichtman @mttaggart one time i made a very attractive lady literally snotlaugh by saying "kubernetes appears to have been invented to solve a litany of problems that nobody actually appears to have"
-
@Viss @vwbusguy @mttaggart from the documentary it was basically shared to kill competition. Not exactly an auspicious start. It's also born of Google Borg which itself is presumably of requirements that afflict barely any other enterprises. Using kubernetes is not that far off saying "well Airbus use ramjet turbines so our hatchback coupe should"
-
@arichtman @Viss @mttaggart Istio is absolute overkill for most setups. The overhead is insane. If you want to keep things simple, use the Wireguard backend for flannel and let cert-manager autoprovision TLS for everything you deploy.
-
Scott Williams 🐧replied to Max Effort last edited by [email protected]
@kubefred @arichtman @Viss @mttaggart If it's strictly for network policy, calico is probably more practical.
Istio can do some really cool stuff for securing cross cluster Kubernetes traffic, but it's still a ton of overhead. There's also submariner for doing that more simply.
-
@vwbusguy @Viss @mttaggart work-wise my hands are more tied as we're EKS. Home-wise I'm banning cillium and just leaving east-west traffic alone. If you're in my shit, you're in my shit. I'll get to securing when I consider anything prod grade and that means backups, DR, monitoring etc
-
@arichtman @Viss @mttaggart Why select nodes as dmz when you can put a proxy in front of it and only expose what you really intend to?
-
@vwbusguy @Viss @mttaggart we don't do that but in cases like MetalLB or for arbitrary TCP routing it may be required.
-
Scott Williams 🐧replied to Ariel last edited by [email protected]
@arichtman @mttaggart @Viss My garden shed is secured like how old tomcat servers are - it's full of unusual spiders and I'm not sure which ones are still alive and which ones might be highly toxic to touch. No one is going in there.
-
@Viss @mttaggart @arichtman I'm guessing this was meant as a reply for a different thread? That said, having experienced something similar before myself, this is solid advice.
-
Scott Williams 🐧replied to Scott Williams 🐧 last edited by
@Viss @mttaggart @arichtman Reading the Phoenix Project was both highly therapeutic but also very difficult because it made me remember fresh some of those experiences.
-
@arichtman @Viss @mttaggart Oh, there's ways to do it, such as SOPS or a number of vault vendors that manage secrets or do runtime injection (currently using Infisical, but that's not an endorsement).
Manage Kubernetes secrets with SOPS
Manage Kubernetes secrets with SOPS, OpenPGP, Age and Cloud KMS.
(fluxcd.io)
-
@vwbusguy @arichtman @mttaggart ive been telling my customers to handle secrets entirely out of band from ci/cd. and to basically have them deployed in a way where they are more or less hard-coded and encoded somehow, so they dont end up in text files on disk or in env vars