Mytaskbar - Dysnix Proposal

Best practics

IaC

• Terraform
• Helm
• Helmfile

Cluster

• GKE Privater Topology
• Bastion host or VPN for access to K8S API
• ETCd encrypted
• Dedicated Service accounts
• Workload Identity
• RBAC
• Enable Audit logging

Network

• Kubernetes Network Policy
• Istio p2p encryption (optional)

Secure config store

We recoment to use Injecting Vault Secrets Into Kubernetes Pods for all sensetive congiguration params.

Monitoring & Logging

• Prometheus + Grafana + Alert-manager
• Use datadog audit log moniotring or other 3rd security monitoring tools
• Fluentd + Elssticsearch + Kubana

Audit & security scan

After deploy new enviroment we recomend to make complex tests using next security audit tools:

• https://github.com/aquasecurity/kube-hunter
• https://github.com/Shopify/kubeaudit