Planning the Kubernetes deployment, including selecting the right infrastructure and defining the requirements for the cluster.
Installing and configuring the Kubernetes software, including setting up the control plane and worker nodes.
Configuring the network and storage for the Kubernetes cluster, including defining how applications will be exposed and how data will be stored and accessed.
Defining policies and security settings, such as access control policies, network policies, and encryption settings.
This requires upskilling “Infrastructure & Operations personnel” on these different aspects and creating processes for the users of the infrastructure.
Kubernetes is a new infrastructure that requires a new understanding of infrastructure and operations. While a lot of the installation and configuration was allocated to a third party, security was left to be dealt with in-house. The team at EDBS knew that if they left security to a late phase in the project, it may put timelines at risk. As a result, they decided to implement security at day zero.
EDBS selected ARMO Platform, in order to learn how to strengthen the security posture of a Kubernetes cluster. The DevOps team initially scanned deployment files in order to mine best practices for writing them correctly and without misconfigurations. The remediation advice and the descriptions of the security controls, were instrumental in achieving comprehensive security guidelines for developers.
The next step was to plug ARMO Platform into their Azure pipelines and create a feedback loop of strengthening the security posture within the clusters, throughout the DevOps pipeline. Everytime a new deployment is built, ARMO Platform helps tighten the Kubernetes security posture by highlighting misconfigurations.
The final step (to-date) was to run in-cluster scanning to ensure there are no vulnerabilities in the cluster.
In the future, as part of the security guidelines and to reduce developer friction, the team will endeavor to introduce ARMO platform security plug-ins (e.g. VSCode, kubectl, GitHub actions, etc.) to developers in order to reduce the reliance on written guidelines and embed them in the developer stack. Thus, reducing friction and keeping software delivery fast and agile.
The SOC 2 auditor accepted ARMO Platform and its implementation in the SOC 2 process. The scanning reports generated by ARMO Platform were presented to the SOC 2 auditor, as part of the audit process.
To get relevant findings the team at GitPod preferred a solution that can give insight from outside the cluster, but also from within.
ARMO Platform has become part of the security processes at Gitpod and is used at least once a week.