In the greater Montreal area? Come see me speak tomorrow at Cloud Native Day.
The abstraction layers of ‘container’ and ‘helm’ etc often make people not think about the security issues. I run ‘helm install X’ or ‘docker build’. That in turn imports many things which get delivered into my environment.
Containers are not a (strong) security barrier. We often think about security as a Boolean (outside bad, inside good). Here I will talk about ‘Defense in Depth’: assuming that bad things are already in, and the steps we take to harden the environment.
- service mesh
- logging
- network policy
- reduction in privilege (de-root, de-privilege)
- rbac, roles
- understanding the upstream risk, quantifying, controlling
- read-only filesystems
- distroless
And I’ll show a simple check list of activities you can do during your DevOps cycle that won’t change your cost (much).
I will focus on Kubernetes environment, contrasting Helm (+Tiller) versus Kustomize, but this is applicable to other environments.