# Meeting with Norwegian Tax authority -- 20191211 ###### tags: `meeting notes` `Norwegian Tax Authority` ### Meeting agenda | Agenda item | Time | | ------------------------------------------------- | ------------- | | Intro by NTA: Overview of current environment | 8:30 - 09:30 | | EKS POC project - Timelines, goals and milestones | 09:30 - 10:00 | | EKS latest news | 10:00 - 10:30 | | NTA requirements discussion | 10:30 - 11:30 | | _Lunch break_ | 11:30 - 12:00 | | NTA requirements discussion | 12:00 - 14:00 | End of meeting: 14:00 -------------------------------------------------------------------- ## MTA requirements Input from Lene, 2019-12-10 ### Integration with other systems · How is other kind of AWS resources provisioned? E.g. is it an easy way of getting an AuroraDB/S3 bucket/RDS when you deploy an application in AWS? o Operators vs Service Catalog vs ? · Is it possible to send logs to Splunk? · Options for private docker registry · Monitoring and tracing? Native support? ## Authentication and authorization · Authentication and authorization o How is access control in EKS implemented? § What is the current possibilities with OAuth2.0 services? We use OpenShifts internal OAuth2.0 authorization server to perform actions on behalf of users today. § What is the possibilities when doing access control? Is it similar to Kubernetes RBAC? [https://kubernetes.io/docs/reference/access-authn-authz/rbac/](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) . § How can roles in external IAM systems be used in EKS? We synchronize from Active Directory today. § Will thirds party services (e.g. Boober) be able to use OAuth2.0 to perform operations on EKS on behalf of users, and with the access rights of the user? o Is is possible to use service account token for accessing other AWS systems? (Yes!) [https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/) [https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html) o How is the integration with third party services? (Belive the answer would be a combination of Vault and projected service accounts) ### Deployment options · Cluster management (big vs smaller clusters) o Cost managment - labling of Kubernetes resources to calculate cost (compute / disk / network) · Managed (EKS) vs Self configured Kubernetes running on EC2. ## Networking · Perimeter security · Ingress o Recommended ingress controller · Egress · Service mesh o Can multiple clusters share one mesh or should each cluster have a separate mesh? o AWS Mesh or Istio? · Hybrid o Communication between clusters on-prem and AWS ## K8S-stuff · How is the support for custom admission controllers? · Low level o Is it possible to manipulate the network stack (e.g. for fault injection or Istio)? ([https://aws.amazon.com/blogs/opensource/getting-started-istio-eks/](https://aws.amazon.com/blogs/opensource/getting-started-istio-eks/)) o How is the support for custom CNI plugins? What are the default for EKS? What is the recommended? o What about Fargate? Is support for lower level functionality the same as in EKS running on EC2? o Support for SCC? ([https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)). AppArmour? SELinux? o Functionality for limiting user IDs per namespace and limiting the possibility to configure SCC for users? ([https://aws.amazon.com/blogs/opensource/using-pod-security-policies-amazon-eks-clusters/](https://aws.amazon.com/blogs/opensource/using-pod-security-policies-amazon-eks-clusters/)) o Other kind of hardning? o Default seccomp-profiles?? · What kind of GUIs does AWS provide? o GUIs for one single cluster? o GUIs for monitoring many custers in one view? · Build pipeline o Caching of dependencies? E.g. Maven artifacts or NPM modules? One single build tends to download a lot of third party dependencies. · Alternatives to ImageStream o Update Deployments when there is a new sha behind the tag · Control of egress traffic -------------------------------------------------------------------- Input from Mads on 2019-12-03: > Good if we can touch also some practicalities around networking and operations of an EKS setup, e.g. this: > - We have currently a design where we have a Network Account with Transit VPC (or TransitGW) and want to let all internet traffic from our various accounts&VPCs to go "same way" via that Transit. > - How would such "cloaking" be done for an account&VPC running EKS? (as alternative to having a IPGW on the EKS VPC itself) > - Examples of what typically a devsecops team handles with respect to operating an EKS setup and what is handled by Amazon as part of the EKS service itself. Input from Lene 2019-11-28: > Main target audience for the workshop: > The main target audience for this workshop is the people involved in the evaluation and comparing of three Kubernetes platforms (OpenShift, AKS and EKS) that will be a task for us the first half of 2020. Including the configuration of EKS. > Our current environment: > > As you might know, we have been using the OpenShiftplatform as a development and runtime environment since 2016. We have currently about 300 microservices on OpenShift in production (in several instances), and lots of test- end development environments. We have automated the CI/CD pipeline, and we have to some ekstent standardized how we do application developement in Skatteetaten. There are currently about 35 development teams using the OpenShift platform. > What we'd like to achieve: > > Our main goal for the day is to get a "quickstart" on EKS, and to learn as much as possible about what possibilites and constrainst EKS will give us, and good advice about "dos and do-nots". We are currently discussing consequences of clustersizes (on the on-prem OpenShift platform), and we are discussing how we can solve some securityissues using features in the Kubernetesplatform. These are some of the issues we'd like to discuss in the workshop. > But I guess you might have some questions, and I'm wondering if it would be possible to have a short meeting next week to plan the agenda and do our best to facilitate a successful workshop.