Skip to content

Managed

GKE

References

Link Notes
GKE best practices
The Unofficial GKE Security Guide Guide which aims to help prioritize and implement a security posture that meets your organization's needs while taking advantage of all the benefits of GKE
Private clusters
Exposing GKE applications through Ingress and Services Walk through of the different factors that should be considered when exposing applications on GKE, explain how they impact application exposure, and highlight which networking solutions each requirement will drive you toward
Consuming Google Secret Manager secrets in GKE 5 options to integrate GKE and GSM

IAM

Link Notes
Introducing Workload Identity: Better authentication for your GKE applications The new, and now recommended, way for GKE applications to authenticate to and consume other Google Cloud services
Making Sense of Kubernetes RBAC and IAM Roles on GKE Relationship between Google Cloud IAM and Kubernetes RBAC
Kubernetes Bound Service Account Tokens
  • Bound service account tokens are becoming the default format in Kubernetes 1.21
  • This will ultimately enhance the authentication layer, but you may need to modify your applications to take advantage of the new security capabilities

Federation

Link Notes
Authenticating to GKE without gcloud How to authenticate to GKE and deploying to it from headless environments like CI/CD
Securely Access AWS Services from Google Kubernetes Engine (GKE) Challenges and potential solutions for cross-cloud access
Groups-GKE
  • Google Groups for GKE
  • Allows to grant roles to the members of a GSuite Google Group
rbacsync
  • Automatically sync groups into Kubernetes RBAC (blog post)
  • Provides a Kubernetes controller to synchronize RoleBindings and ClusterRoleBindings, used in Kubernetes RBAC, from group membership sources using consolidated configuration objects
  • The provided configuration objects allow you to define "virtual" groups that result in the creation of RoleBindings and ClusterRoleBindings that directly reference all users in the group

EKS

References

Link Notes
Amazon EKS Best Practices Guide for Security Best practices guide for day 2 operations, including operational excellence, security, reliability, performance efficiency, and cost optimization
Amazon EKS Workshop Workshop exploring multiple ways to configure VPC, ALB, and EC2 Kubernetes workers
AWS Controllers for Kubernetes (ACK) ACK lets you directly manage AWS services from Kubernetes
Kubernetes multi tenancy with Amazon EKS: Best practices and considerations Some considerations for Kubernetes multi tenancy implementation using Amazon EKS, covering different perspectives around compute, networking, and storage.
Hardening AWS EKS security with RBAC, secure IMDS, and audit logging How small misconfigurations or unwanted side-effects may put clusters at risk
Opinionated guides

IAM

Link Notes
EKS Pod Identity Webhook Deep-Dive Deep dive on the EKS Pod Identity Webhook (gives IAM roles to pods) to understand how it works, specifically for non-EKS clusters
IAM roles for Kubernetes service accounts - deep dive How IAM and Kubernetes work together tallowing you to callg AWS services from your pods with no hussle
iam-service-account-controller Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts
aws-iam-authenticator Use AWS IAM credentials to authenticate to a Kubernetes cluster

AKS

Link Notes
Monitoring Azure Kubernetes Service (AKS) with Azure Sentinel How to use Azure Sentinel to monitor AKS clusters for security incidents
Secure pods with Azure Policy You can deny requests based on pod capabilities and audit for runtime violations