Underlying infrastructure

Gloo Platform runs on Kubernetes platforms, which in turn run on underlying infrastructure such as on-prem hardware or cloud providers. The infrastructure provider for the clusters in your environment can affect the security posture of the apps that run in your cluster. Review general guidelines for maintaining your environment to work securely with Gloo, and consult your infrastructure provider for more information.

Cluster details: Review your infrastructure provider for security features, such as the following.

• Node tenancy and compute isolation, such as shared vs. dedicated virtual or physical machines
• Compliant kernel images
• Kernel mandatory access control (MAC) security profiles
• Center of Internet Security (CIS) Kubernetes benchmark standards
• Blocked SSH access
• Disk encryption

Networking: Review your infrastructure provider for security features, such as the following.

• Network segmentation and isolation for nodes in your cluster, sometimes achieved with a virtual private cloud (VPC) architecture
• Firewalls and network policies
• Edge nodes to reduce the surface area of nodes attached to a public interface

Load balancers: If you configure ingress for your cluster, the Kubernetes LoadBalancer and Ingress services are typically backed by a separate load balancer in your infrastructure provider.

• Your provider might have additional security features for the load balancer, such as global load balancing or failover.
• The load balancers might also have reserved ports, IP address allocation, or other networking rules that might impact your apps.
• You might have to configure annotations for the load balancers to improve performance or to use a feature such as TCP.

High availability and disaster recovery: Your infrastructure provider might offer HA/DR features for the servers, load balancers, or other infrastructure tools that you use. For example, creating your cluster with nodes that are spread across multiple zones can increase the availability of your apps.

Certificate, key, and other encryption management services: Your infrastructure provider might provide tools to manage the encryption of Kubernetes secrets, CA certificates, and other resources that your apps use to secure their data.

Logging and monitoring: To help keep your environment secure, set up a plan to log and monitor not only your network traffic, but also your infrastructure resources.

• Check your infrastructure provider for monitoring tools related to the following components:
  • Container and app metrics and logs
  • Kubernetes and operating system versions and vulnerabilities
  • Node and cluster metrics and logs
  • Kubernetes API server audit logs, along with kube-system component logs
  • Network metrics
• Review the Gloo Observability tools that can help you visualize the activity in your Gloo environment.