# Mytaskbar - Dysnix Proposal ## Best practics ### IaC * Terraform * Helm * Helmfile ### Cluster * GKE Privater Topology * Bastion host or VPN for access to K8S API * ETCd encrypted * Dedicated Service accounts * Workload Identity * RBAC * Enable Audit logging ### Network * Kubernetes Network Policy * Istio p2p encryption (optional) ### Secure config store We recoment to use [Injecting Vault Secrets Into Kubernetes Pods](https://www.vaultproject.io/docs/platform/k8s/injector) for all sensetive congiguration params. ### Monitoring & Logging * Prometheus + Grafana + Alert-manager * Use [datadog audit log moniotring](https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/) or other 3rd security monitoring tools * Fluentd + Elssticsearch + Kubana ### Audit & security scan After deploy new enviroment we recomend to make complex tests using next security audit tools: * https://github.com/aquasecurity/kube-hunter * https://github.com/Shopify/kubeaudit