Gloo Platform runs on Kubernetes platforms, which in turn run on underlying infrastructure such as on-prem hardware or cloud providers. The infrastructure provider for the clusters in your service mesh can affect the security posture of the apps that run in your cluster. Review general guidelines for maintaining your environment to work securely with Gloo, and consult your infrastructure provider for more information.
Cluster details: Review the System requirements for cluster details such as node sizing and number of clusters. Review your infrastructure provider for more security features, such as the following.
- Node tenancy and compute isolation, such as shared vs. dedicated virtual or physical machines
- Compliant kernel images
- Kernel mandatory access control (MAC) security profiles
- Center of Internet Security (CIS) Kubernetes benchmark standards
- Blocked SSH access
- Disk encryption
Networking: Review the System requirements for networking details such as required port and repository access for firewalls. Review your infrastructur provider for more security features, such as the following.
- Network segmentation and isolation for nodes in your cluster, sometimes achieved with a virtual private cloud (VPC) architecture
- Firewalls and network policies
- Edge nodes to reduce the surface area of nodes attached to a public interface
Load balancers: Kubernetes
Ingress services are typically backed by a separate load balancer in your infrastructure provider.
- Your provider might have additional security features for the load balancer, such as global load balancing or failover.
- The load balancers might also have reserved ports, IP address allocation, or other networking rules that might impact your apps.
- You might have to configure annotations for the load balancers to improve performance or to use a feature such as TCP.
High availability and disaster recovery: Your infrastructure provider might offer HA/DR features for the servers, load balancers, or other infrastructure tools that you use. For example, creating your cluster with nodes that are spread across multiple zones can increase the availability of your apps.
Certificate, key, and other encryption management services: Your infrastructure provider might provide tools to manage the encryption of Kubernetes secrets, CA certificates, and other resources that your apps use to secure their data.
Logging and monitoring: To help keep your environment secure, set up a plan to log and monitor not only your apps and service mesh traffic, but also your infrastructure resources.
- Check your infrastructure provider for monitoring tools related to the following components:
- Container and app metrics and logs
- Kubernetes and operating system versions and vulnerabilities
- Node and cluster metrics and logs
- Kubernetes API server audit logs, along with
- Load balancer metrics and ingress logs
- Review the Gloo Observability tools that can help you visualize the activity in your service mesh.
- When you get stuck, try out the Troubleshooting guide. If you need help, see Support and services.