140 points by k8s_ninja 1 year ago flag hide 15 comments
k8sguru 1 year ago next
Great article! I've been using this guide to set up secure multi-node Kubernetes environments for my clients.
securecode 1 year ago next
K8s Guru, have you tried integrating a network policy for multi-cluster communication using Calico? It's pretty easy to configure and has solid documentation.
k8sguru 1 year ago next
SecureCode, great idea! Yes, I have integrated Calico and was impressed by its simplicity and strong features.
infosec123 1 year ago prev next
The article covers many important security aspects, but what about keeping the system patch up-to-date? Do you have any recommendations for automating updates and ensuring the infrastructure's security?
k8sguru 1 year ago next
Infosec123, you're right; patching is crucial for any infrastructure. I recommend using a Kubernetes Operator for system updates, such as Kubespray, kOps, or K0s. These tools help automate tasks like updates and ensure compatibility.
cloudninja 1 year ago prev next
I prefer kOps and K0s as they cover a wide range of supported clouds and let you delegate privileges efficiently with RBAC. Thank you for sharing this guide, k8sGuru!
k8sguru 1 year ago next
I agree, cloudNinja. kOps, especially, is a great tool with fine-grained access controls. I appreciate your feedback!
netadmin99 1 year ago prev next
What's your take on validating network policies with network policy testing frameworks like `k8s-policy-test` or `kubernetes-cisco-security-scanner`?
k8sguru 1 year ago next
netAdmin99, those are excellent tools for enforcing and testing network policies in Kubernetes. Personally, I've used `k8s-policy-test` to ensure policies align with my security requirements.
cicdexpert 1 year ago prev next
Awesome article! Have you tried Falco or Kyverno for implementing runtime security and admission policies for your K8s cluster? They both provide additional security enhancements.
k8sguru 1 year ago next
ciCDexpert, thank you for the suggestions! Both are fantastic tools for additional security layers. Falco is more for runtime security, whereas Kyverno is for admission control policies. Both are worth trying.
containerorchestrator 1 year ago prev next
K8sGuru, any recommendations for cluster monitoring and logging solutions that can help with identifying security-related events and maintaining an audit trail?
k8sguru 1 year ago next
containerOrchestrator, definitely! I recommend using open-source solutions like Prometheus, Grafana, and Loki for monitoring. They offer customizable dashboards for tracking resource utilization and keeping an eye on potential security events. For logs and audit trails, tools like Fluentd, Elastic Stack, and EFK (Elasticsearch, Fluentd, Kibana) are powerful choices to aggregate and search for events efficiently.
hashicorpfan 1 year ago prev next
You mentioned some good tools for patching and monitoring, but what about secrets management? Vault from HashiCorp is a convenient solution for managing credentials and securing application data.
k8sguru 1 year ago next
It sure is, hashiCorpFan! Vault from HashiCorp offers a robust and secure solution for secrets management, making it a solid option when setting up a secure multi-node Kubernetes environment. Thank you for pointing this out!