Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Advanced Secure setup #1

Draft
wants to merge 105 commits into
base: main
Choose a base branch
from
Draft

Advanced Secure setup #1

wants to merge 105 commits into from

Conversation

mathieu-benoit
Copy link
Owner

@mathieu-benoit mathieu-benoit commented Mar 9, 2024

Based on the default security features already in place:

  • Autopilot
  • Workload Identity
  • Shielded Nodes
  • Private Nodes + Cloud NAT
  • Control plane authorized networks on Humanitec's IP addresses
  • Dataplane V2
  • Least privileges Google Service Account for the Nodes
  • GKE Security Posture (Basic)

Here are the complementary security features added via this PR:

  • Humanitec:
    • Deploy any Workload in the cluster via the Humanitec Agent
    • Deploy Terraform resources via a private Terraform runner (with Workload Identity)
    • Add PSS/PSA label on any Namespace created
    • securityContext for any Workload deployed
    • Use roles/container.developer instead of roles/container.admin for GKE access
    • 1 dedicated KSA per Workload
    • Read external sercrets from GSM via the Humanitec Operator
  • Google Cloud:
    • Create a dedicated GAR
    • Enable containers scanning on GAR
    • GKE Security Posture (Advanced)
    • GKE Release channel to RAPID in order to get latest and greatest GKE/Kubernetes security features such as communication through PSC from private nodes to control plane (since 1.29.0-gke.1384000).
    • Restricted access to GKE control plane: only from the Agent (Cloud NAT) and the location where the Terraform scripts are executed (in order to deploy Helm/Kubernetes manifests from Terraform).
    • GKE Enterprise (Fleet/Anthos)
    • Anthos Service Mesh (Managed Control Plane + Istio proxy distroless + STRICT mTLS)
image

Futur Ideas/TODOs:

  • Humanitec:
    • Cloud Account with WIF for GKE cluster access
  • Google Cloud:
    • Cloud Armor

@mathieu-benoit mathieu-benoit marked this pull request as draft March 9, 2024 02:57
@mathieu-benoit mathieu-benoit changed the title Advanced & Secure setup Advanced Secure setup Mar 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant