This lab focuses on the DevSecOps aspect of running your cluster. We’ll be using Kubernetes mechanisms like Service Accounts, Pod Security Policies and Network Policies to ensure strict control over utilisation and access to various resources and services of your cluster.
This will ensure best practices are enforced by the cluster itself, and reduce the need to reinvent the wheel in various teams.
Kubernetes scheduler and policies deep dive
We’ll start by doing a deep dive into Kubernetes scheduling and resource management works. This is a crucial part of cluster planning and we’ll be building upon the principles learned here in the rest of the lab.
Organising your cluster
Kubernetes offers several powerful mechanisms to isolate your workloads and ensure the security and stability of your system. In this section we’ll cover those mechanisms and best practices, including effective use of namespaces, building isolated staging environments and flexible configuration management.
RBAC and Service Accounts
A well engineered production system has several topologies of systems interacting with each other, each designed to have as minimal access to other systems as possible. Kubernetes has powerful mechanisms to ensure those levels of isolation and we’ll be implementing them on our reference ecommerce system.
Network isolation and policies
Apart from RBAC, Kubernetes allows granular access control on the network level. We’ll be implementing those policies into our cluster to end up with a well architected system which minimises the chance of error or failure due to accidents or bad actors.
Enforcing cluster policies
Finally, we’ll be using Kubernetes mechanisms to ensure all those policies we’ve set up so far are enforced even as new services and systems get introduced into the cluster. By enforcing those standards on the cluster level, we can ensure our cluster will continue respecting our chosen best practices.