The setup implemented a reasonable production ready environment. However you can harden the environment further by following the recommendations below –
- Each Google Kubernetes Engine node is given broad access by default (i.e Compute Engine default service account.) which has more permissions than required. You should create a minimally privileged service account to run your kubernetes cluster and add the required roles based on your application. For more details, refer to – https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
- If you use third party containers and require only trusted container images be deployed on Google Kubernetes Engine (GKE), you can use Binary Authorization service For mode details, refer to. https://cloud.google.com/binary-authorization/
- Define the appropriate NetworkPolicy based on your application requirements. For instance, if you like to ensure only specific nodes in the pod can access the public network or specific IPs, you can employ Network Policy resource on the cluster. For mode details, refer to https://kubernetes.io/docs/concepts/services-networking/network-policies/
- In a future article, we would extend our application with service mesh (istio) which would offload network functions (metering, load balancing, service to service authentication, monitoring etc) to the service mesh without changing any application/service level code.