Comments (3)
@dshaw wanted us to define the area of concern and asses how deep we want to go in this working group.
from tag-security.
Just my loud thoughts probably echoing your issues:
IP based identity authentication may not render well in the virtualized environment:
• When the pods/containers fail, the substitute or standby container must assume (re-assignment aka reconfiguration) the same IP address in order to keep the authentication check transparent – not an easily scalable approach.
• This may become further complex if a single container app package gets migrated to microservice or serverless scattered over multiple containers or even Pods. Likely, the original IP based authentication needs to be reconfigured with multiple IP addresses. Though less frequent, avoiding such authentication reconfiguration would certainly be desirable since from user perspective application operation would remain the same while underneath virtual entities may have been changed. Similar issues come to mind if the load balancer needs to trigger additional Pods/containers.
- Is not the service identity tied to service account (not necessarily IP based)?
3, 4: Service identity (K8s service account) seems to be an improvement over IP identity scheme. Automation and mediation broker come to mind to perhaps help admin and scale the IP and service account mapping scheme
from tag-security.
Closed due to inactivity.
from tag-security.
Related Issues (20)
- [Unconference] STRIDE threat model for the vSphere CSI Driver HOT 10
- [Unconference] Seccomp policy usage: why there is no adoption? HOT 2
- [Unconference] gittuf: A Security Layer for Git Repositories HOT 4
- [Security Self Assessment] Operator Framework
- [Security Self-Assessment] OpenKruise HOT 1
- [Unconference] some descriptive title
- [Security Self-Assessment] KubeVirt HOT 2
- [Security Self Assessment] emissary-ingress / emissary
- [Security Self-Assessment] Antrea HOT 1
- [Security Self-Assessment] Jaeger
- Do we want feedback buttons on pages of the site? HOT 1
- [Presentation] Auto VEX generation for projects with Kubescape Operator HOT 3
- Supply Chain Security Policy Writeup HOT 5
- vSphere CSI Driver Overview
- [Security Review] Compliance TAG process and artifacts progress HOT 3
- Compliance Working Group in TAG Security HOT 12
- Automated Governance Reference Architecture HOT 28
- [Presentation] OpenCRE.org and CNCF, standard harmonization usecases for the modern cloud HOT 3
- Software Supply Chain Best Practices v2 HOT 4
- GH actions are always failing to Git safe directory error, but returning success
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tag-security.