DEV Community: divya-mohan0209

How KubeSlice implements multi-tenancy in Kubernetes

divya-mohan0209 — Mon, 25 Jul 2022 05:00:00 +0000

_This is an article originally co-authored by Olyvia Rakshit & I for the Avesha blog. You can find it by following this link.
_

What is Multi-tenancy in Kubernetes?

Multi-tenancy in Kubernetes is a way to deploy multiple workloads in a shared cluster with isolated network traffic, resources, user access, and last but not least control plane access. Such tenancy is needed

by SaaS providers for their customers who orchestrate containers using Kubernetes,
by teams in an enterprise who have different functions or
by applications which have specific compliance or performance requirements.

Similar to virtualization in the compute world, multi-tenancy in Kubernetes is a form of virtual cluster on a physical cluster.

Or to look at it from a different perspective, multi-tenancy in Kubernetes is very similar to multiple tenants in real estate such as in an apartment complex or shared office centers.

The use case for multi-tenancy

When we talk about multi-tenancy in the real world, it is not difficult to picture why it is required. Let’s take the example of an apartment complex where several isolated apartments are leased out to several customers sharing the same resources. Contrast this with a single family purchasing the same real estate and building a single house.

More individuals and families can be accommodated within a complex. An equitable sharing of resources like electricity, water etc in an isolated manner can be achieved among people living in different apartments. In case of a single tenant building a house on the same plot of land, there’d be limited sharing capabilities – whether it be in the case of real estate or resources. Therefore from the perspective of making a profit during a sale and ensuring efficient occupancy, it can be argued the first option is definitely better.

In the case of application deployments, going by the analogy above, it’s always efficient to pack multiple tenants in the same infrastructure.

Moving over to the Kubernetes world, due to efficiencies gained by Kubernetes, organizations are rapidly transitioning their application architectures from monoliths to microservices.. Kubernetes clusters, with release 1.24, can have upto 5000 nodes, 110 pods per node, and 150000 total pods.

With multiple teams needing to have a dedicated cluster or set of clusters, platform teams managing the clusters have to deal with increased costs of running a farm of clusters, copies of tooling associated with operating clusters, and optimizing unused capacity in clusters. Add to it the fact that the Kubernetes control plane (master node) is required to scale horizontally along with the increase in workloads and we know why having multiple tenants or “multi-tenancy” would make more sense in the context of Kubernetes clusters.

Benefits of a multi-tenant approach

Multi-tenancy in Kubernetes helps bring cost savings by reducing the footprint of the control plane and by optimizing node capacity across multiple teams or multiple customers. It can be achieved by either using a shared node pool across teams (compute is cheaper at scale) or
dedicating some set of nodes to a tenant when needed. If you consider an on-prem deployment, dedicating servers to a tenant will increase costs and will not take optimal advantage of the Kubernetes scheduler bin packing algorithm for optimal workload placement.

Multi-tenancy also brings operational cost savings by consolidating different tools sets for managing, visibility and operating clusters. Optimizing a single cluster is complex. If one deploys a cluster per tenant, operating and optimizing will be difficult and increases the operational burden by many folds.

Multi-tenancy helps spin up new customers or new teams instantly and easily along with the associated tooling. This means you don’t have to bring all new infrastructure for each tenant! It also helps reduce complexity of configuration maintenance and security validation for multiple clusters.

In summary by implementing multi-tenancy in Kubernetes clusters you gain:

Cost savings
Reduce operational overhead
Improves continuous delivery at scale

Enter KubeSlice!

‘KubeSlice’ combines network, application, and deployment services in a framework to create tenancy in a Kubernetes cluster and extends it to multi-cluster.

KubeSlice creates logical application boundaries known as “slices” that allow pods and services to communicate seamlessly across clusters, clouds, edges, and data centers regardless of their physical location. Each slice is assigned its own set of namespaces, resource quotas, traffic profiles that creates an “isolated virtual network” for each tenant (a team or a customer) in a single cluster or multiple clusters.

KubeSlice drives provisioning and management of tenants via a Controller which is isolated functionally from workloads deployed by product teams via a worker cluster. As Kubernetes defines a control plane for orchestrating containers in worker nodes, KubeSlice’s control plane is defined as ‘Controller’.

KubeSlice in action

Installing KubeSlice on any distribution of Kubernetes is done via Helm charts. Tenancy driven by KubeSlice can be attained in a few simple steps after the initial installation of the ‘Controller’ subsystem.

KubeSlice is divided into two components: A control cluster and a group of worker clusters. The control cluster is the control plane managing worker clusters either in public clouds (multi cloud support) or clusters on-prem. The controllers job is to manage tenancy creation, establishment of isolation, creation of overlay network across worker clusters for a tenant, RBAC functionality for a tenant, resource allocation to a tenant and much more.

Steps for Establishing Tenancy

A multi-cluster multi-tenant model showing Team Athena Slice and Team Zeus Slice

1) Register cluster or set of clusters

This step defines Kubernetes clusters to be managed by Controller for creation of tenancy / Isolation for teams or customers.

First step is to register the clusters with the Controller.

—------
Cluster 1: aws-us-east-prod-cluster
—-------
apiVersion: controller.kubeslice.io/v1alpha1
kind: Cluster
metadata:

name: aws-us-east-prod-cluster
namespace: kubeslice-acme
spec:
networkInterface: eth0
clusterProperty:
telemetry:
enabled: true
telemetryProvider: "prometheus"
endpoint: "http://30.2.44.110:32700" ## For example: "http://extrenal IP:32700"
geoLocation:
cloudProvider: "AWS"
cloudRegion: "us-east-1a"
—-----
Cluster 2: gcp-us-east-prod-cluster
—-------
apiVersion: controller.kubeslice.io/v1alpha1
kind: Cluster
metadata:
name: gcp-us-east-prod-cluster
namespace: kubeslice-acme
spec:
networkInterface: eth0
clusterProperty:
telemetry:
enabled: true
telemetryProvider: "prometheus"
endpoint: "http://25.4.32.210:32700" ## For example: "http://extrenal IP:32700"
geoLocation:
cloudProvider: "GCP"
cloudRegion: "us-east"

Command Execution

kubectl apply -f <cluster registration>.yaml -n kubeslice-<project namespace>

2) Install KubeSlice operator in above registered clusters

Edit below YAML file with information

## Base64 encoded secret values from controller cluster
controllerSecret:
namespace: <namespace>
endpoint: base64 value of the <controller endpoint>
ca.crt: <ca-cert>

token: <token>
cluster:
name: <worker cluster>
endpoint: <endpoint of control plane of the worker cluster>
# Provide your username, password & email values under imagePullSecrets to create a
secret
imagePullSecrets:
repository: https://index.docker.io/v1/
username: <username>
password: <accesstoken of the user>
email: <email ID>

Command Execution

helm install kubeslice-worker kubeslice/kubeslice-worker -f <values>.yaml --
namespace kubeslice-system --create-namespace

3) Install Slice on the two clusters

After registering the cluster or a set of clusters by following the step above, one is ready to create a slice on a cluster or a set of clusters. By adding more than one cluster KubeSlice will automatically establish connectivity across clusters.

The YAML file below helps to create two tenants for two teams in the clusters registered. The teams ‘Team Athena’ & ‘Team Zeus’ will share the clusters in AWS and GCP.

—-----
Slice 1: team-athena
—-------
apiVersion: controller.kubeslice.io/v1alpha1
kind: SliceConfig
metadata:
name: team-athena
namespace: kubeslice-acme
spec:
sliceSubnet: “192.168.0.0/16”
sliceType: Application
sliceGatewayProvider:
sliceGatewayType: OpenVPN
sliceCaType: Local
sliceIpamType: Local
clusters:

- aws-us-east-prod-cluster
- gcp-us-east-prod-cluster
qosProfileDetails:
queueType: HTB
priority: 1 #keep integer values from 0 to 3
tcType: BANDWIDTH_CONTROL
bandwidthCeilingKbps: 5120
bandwidthGuaranteedKbps: 2560
dscpClass: AF11
namespaceIsolationProfile:
applicationNamespaces:
- namespace: identity-application
- namespace: identity-db-cache
clusters:
- '*'
isolationEnabled: true #make this true in case you want to enable isolation
allowedNamespaces:
- namespace: kube-system
clusters:
- '*'

A second slice for a different team who needs infrastructure but would like to not have any linkage with teams in the same organization. A cost effective way of sharing resources and still maintaining strict isolation from network, access, and resources can be achieved by creating a slice (tenant) on the same clusters.

—-----
Slice 2: team-zeus
—-------
apiVersion: controller.kubeslice.io/v1alpha1
kind: SliceConfig
metadata:
name: team-zeus
namespace: kubeslice-acme
spec:
sliceSubnet: “192.168.0.0/16”
sliceType: Application
sliceGatewayProvider:
sliceGatewayType: OpenVPN
sliceCaType: Local
sliceIpamType: Local
clusters:
- aws-us-east-prod-cluster

- gcp-us-east-prod-cluster
qosProfileDetails:
queueType: HTB
priority: 2 #keep integer values from 0 to 3
tcType: BANDWIDTH_CONTROL
bandwidthCeilingKbps: 5120
bandwidthGuaranteedKbps: 2560
dscpClass: AF11
namespaceIsolationProfile:
applicationNamespaces:
- namespace: analytics-application
- namespace: analytics-db
clusters:
- '*'
isolationEnabled: true #make this true in case you want to enable isolation
allowedNamespaces:
- namespace: kube-system
clusters:
- '*'

With the actions above, we have created TWO TENANTS (team-athena, team-zeus) across TWO CLUSTERS based on two different cloud providers. (aws-us-east-prod-clust, gcp-us-east-prod-cluster)

We’d love for you to try out KubeSlice and provide us feedback! If you run into any issues, we hang out in the #kubeslice channel on the Kubernetes slack. To keep up with the latest updates on KubeSlice, follow us on Twitter and Reddit.

A primer on WebAssembly

divya-mohan0209 — Thu, 06 Jan 2022 04:43:19 +0000

This first appeared on my Medium blog

As detailed in this LinkedIn post, 2022 is going to be my year of diving into the world of WebAssembly and Rust. With an overwhelming amount of people opting for blog content over other media, here’s the first one in, what I hope will be, a series of posts covering the aforementioned topics.

Although this has been covered in various formats across the internet, I believe any content about a new technology or tool should start with the motivations behind its inception. To understand why there was a requirement for WebAssembly, let’s take a not-so-quick stroll down memory lane.

History of the WWW

The world wide web, as we know it today, started off as a single page project on a NeXT computer at CERN. You can still view it here. The page was a simple static page written in HTML and contained links to the project and a few other technical details. The motivation behind this project was to enable information sharing between academics via a document exchange network.

As you probably noticed above, the very first browser wasn’t radically different from the browsers we use today. However, the interactive nature of web content has definitely seen a drastic change ever since. With its ubiquity and maturation, there was a requirement for the content being made available to be more sophisticated and for it to be rendered on different operating systems & devices. This obviously meant interacting with and accessing various elements within the HTML document and one of the frontrunners in this space was JavaScript.

Enter.. JavaScript

Created in 1995 with a name aimed to capitalize on the widespread adoption of Java, JavaScript had a very low barrier to entry. This meant that even someone who was fairly non-technical could use it to introduce interactivity into their webpage. This contributed to its prominence and rise as a de facto compilation target against competitors like ActiveX, Adobe Flash, JavaBeans etc.

But with this uninhibited rise, there were several challenges as well. JavaScript is an interpreted language. In simple terms, the functions you write are bundled and minified into a source file. Sent as plain text to the Client’s browser, this needs to be parsed into Abstract Syntax Trees, compiled into bytecode and then executed by the interpreter. The browser’s JavaScript engine then spots any potential optimizations via methods such as JIT Compilation allowing for eventual optimization. Keyword here being eventual since it’s a long drawn process with speed as an end goal.
However, the concerns with speed were not only limited to the convoluted process to get there. For more challenging applications where performance is a critical factor, the lack of consistency/predictability in the levels of performance was a significant obstacle.

Additionally, with the popularity of the web, there has been an even greater rush to bring more sophisticated languages into the fray. In the absence of plugins, using JavaScript as a compilation target was the only option. Being an interpreted language itself, the above operations were made complicated due to the amount of efforts required if they were to be achieved efficiently.

asm.js

Introduced as a subset of JavaScript, the asm.js specification aimed at describing a sandboxed virtual machine for memory-unsafe languages like C or C++ and provide a low-level, efficient target language for compilers. Implemented first by the Mozilla Firefox browser, this spec introduced performance improvements via employment of ahead-of-time optimizing compilation strategy for valid asm.js code by the JavaScript engines.

Quoting Mozilla docs,

It is a very small, strict subset of JavaScript that only allows things like while, if, numbers, top-level named functions, and other simple constructs. It does not allow objects, strings, closures, and basically anything that requires heap allocation. Asm.js code resembles C in many ways, but it’s still completely valid JavaScript that will run in all current engines

While asm.js was an improvement on the performance front, it was still limited to the things that were expressible in JavaScript. Being an informal spec of JavaScript and not an actual standard, every vendor optimized it in a way they saw fit. Although it did lead to an eventual convergence, there definitely was room for improvement with respect to standardization.

Enter… WebAssembly

Building upon the experience from asm.js, all major browsers worked towards designing a new format for the Web with one of the end goals being speed and efficiency.

WebAssembly, abbreviated Wasm, was designed to be a portable compilation target for programming languages, enabling deployment on the web for client and server applications.

So what exactly is WebAssembly? It is a binary instruction format for stack based machines. Here’s a partial snippet of how a simple “Hello world” program looks like in Wasm.

As is evident in the above snippet, this is closer to machine code than either asm.js or JavaScript. Therefore, it is a no-brainer that decoding, compiling, fetching, and optimizing WebAssembly code takes lesser time. Why?

The typical amount of time a JavaScript Engine takes during startup for an application today is depicted below.

Although the tasks have been separated above for pictorial depiction, in reality they weave into each other and are not discrete. With larger JavaScript applications, of course the overhead of monitoring and compiling the code increases.

Contrast that with how a typical WebAssembly flow looks like.

There’s not only a marked difference in the amount of time being spent on account of it being closer to the machine code, but there is also an elimination of certain steps altogether. This obviously leads to better performances in comparison for most cases but not all, since WebAssembly is still in its nascent stages (the MVP was completed in 2017).

But wait.. does that mean developers will now be expected to write entire codebases in WebAssembly instead of JavaScript? Since this is a like-to-like comparison, the obvious answer to this question would have been a yes. But that is not the case! It is expected that a majority of Wasm developers will continue to code in languages like Rust, C, etc. and then compile to WebAssembly so that users can reap its performance benefits.

So that’s it for this post! Here’s a list of resources that helped me along the way while learning,

The Mozilla Hacks blog
This free course by The Linux Foundation on edX
The sessionstack blog
CERN webpage
MDN Web Docs

To stay updated with my latest tech shenanigans, do follow me on Twitter and LinkedIn.

Signing your git commits (for Windows users)

divya-mohan0209 — Thu, 09 Dec 2021 13:33:49 +0000

We may not have the blue tick mark against our Twitter handles, but that should not stop us from verifying our commits on GitHub. After all, a verified account somewhere is better than none at all!

Why do I need to sign my commits?

There are tons of great articles on the internet, especially this one at freeCodeCamp by Seth Falco where the author explains it better than I ever can.

So why is this targeted at Windows users specifically?

Good question.

Reason #1: I use Windows.

Reason #2: Everything is 100 times more complicated with Windows, IMHO, because there'll never be enough stackoverflow posts covering it.

Fair enough, how do I get started?

Please note as of writing, GitHub Desktop DOES NOT support signing commits per their official documentation

Step #1: Download gpg4win.
Step #2: After running the exe file, this is one of the very first pages of setup that you will come across. Please ensure that Kleopatra is selected during this step. We will need it later.

Step #3: Click install & finish the installation. You should see a Kleopatra icon on your desktop as shown below.

Step #4: Open the Kleopatra management tool & create your very first key pair by clicking File -> New Key Pair. Select the personal OpenPGP key pair in the dialog box that pops up.

Step #5: When you click Next, you'll be asked to enter some details. In the section against Name, I recommend entering your GitHub ID. In the email section, it's obviously a no-brainer at this point that you need to enter the one that is registered with GitHub.

Step #6: This step is optional, however you can change the validity period of the key you create. Default setting as of writing this is two years.

Step #7: Click create. You'll get a dialog box where the fingerprint of the key you just created will be made visible to you.

Step #8: This is one of the most important steps. So please ensure you follow it closely. On the Kleopatra console, you should now see the key you just created. Right click on it and select export. Save it & open it with a editor of your choice. I used Notepad because of its ease. Copy the contents of the file and navigate to your GitHub account.

Step #9: Under Settings -> SSH and GPG keys, click Add New GPG key & paste the contents from the file you just copied.

Step #10: Time to setup your CLI! You can use Git Bash or command prompt. I use the latter out of habit. On the prompt window, copy & paste the below command as is.

git config commit.gpgsign true

Step #11: If you want to enable the same keypair for signing any local repository on your machine, copy & paste the below command as is.

git config --global commit.gpgsign true

Step #12: So Windows is a tricky operating system and even if you follow all of the above steps, you still might not end up being able to sign your commits properly. This typically happens because git is not able to find the key you just generated. So, firstly let's list the keys you generated with gpg.

gpg --list-secret-keys --keyid-format=long

Next up, we will need to copy the listed public key and specify that Git needs to use that specific key with the below command.

git config --global user.signingkey your_key_here

Step #13 You should be all set to sign your commits now by appending an extra -S to your git commit command!

git commit -S -m "your_commit_message"

That's it! Once you push the commit to the repo, you should be able to see a green tick mark against your commit verifying that it came from you.

Hope this was useful!

From zero to WIP

divya-mohan0209 — Fri, 05 Nov 2021 11:58:11 +0000

How I transitioned from being a sys admin working on legacy middleware to sailing the cloud native seas

This post originally appeared on my Medium blog

At the beginning of the pandemic, with a lot of free time on my hands I decided to invest some of it in learning new things over and above my day job at HSBC. With the ever-changing landscape I felt that my skills required a fair amount of polishing & therefore, I set off in search of places where I could learn and if possible, practise what I learned.

There are multiple ways you could go about doing this and my route, in no way, is a holy book that you have to follow. By sharing the basic tenets on which my decisions were made, for people stuck in a similar position with zero previous experience in cloud native, I hope, the journey becomes a little less daunting.

1. Introspect

This was one of the very steps that I undertook. Introspecting & understanding my end goal was very important for me because learning — be it via MOOCs or any other avenue would be an investment of my time over and above my day job. With the pandemic confining all of us eventually, sure there would be more hours that I could devote to this project. However below were a few questions that helped me narrow down my end goal.

Were my end goals intrinsically motivated? Or were they motivated by external factors such as compensation, recognition, etc?
What amount of time could I devote on a daily basis towards improvement?

Both these questions helped define MY baseline of sustainability towards this practice. Again, this is a very subjective result but I wanted to break out of the comfort zone that I had relegated myself to. I also wanted to be able to meet folks outside of my bubble & learn more from them. Since we weren’t in lockdown mode when I started thinking about this, the time commitment was relatively shorter. I could devote, at most, 2 hours per day to this effort. This would, of course, change later on when we all went into one endless lockdown.

Taking time out to introspect is very important because nobody really knows you better than yourself. Without truly asking yourself why you’re in it, it is also extremely easy to overcommit because you end up saying yes to everything that comes your way.

2. Assess

With an end goal in sight, I needed to figure out how to get there with all of the constraints in place. Some of the questions that helped me during this process were,

What are some of the avenues that are a great match for the end goal that I have in sight?
What are some of the things, technical and non-technical, that I am really good at?
What are some skills I could definitely brush up on/learn from scratch?

Meetup groups and open source communities were easily the best answers for the first question in this section. Meetup groups were slightly more daunting due to the fact that I had to actually meet groups of people I had never interacted with before and put myself out there. Building that muscle was difficult because I did it by learning in public. Most of my technical skills I attributed to my job & hadn’t bothered to upgrade them in years (sad, but true). In an ever-changing landscape, I had not bothered to pull myself up & learn new things. This not only festered dissatisfaction in a job that had all the perks but I ended up hitting “The Wall of Stagnation” as I call it now.

Tip: For a lot of people, meetup groups & open source communities might not be a sustainable option because of the time/effort commitment required. And that’s totally fair! There are other avenues you can pick to start learning, if that’s your end goal and you’ll be just fine.

3. Chart

Armed with this information, I charted my course that resembles the below

Join open source communities & meetup groups based on the areas I was most interested in
Figure out where I could contribute based on my skills
Understand what my aspirational contributor level was.
Develop new skills

Although I’ve listed this out, it is an endless iterative loop for me. After joining Kubernetes & LitmusChaos based on my interests in 2020, I realized that documentation/non-code contributions were the only place I could contribute effectively because of my skills. I knew the barebones of HTML, CSS, and Javascript and could easily build up on the knowledge I already had. I also built up my documentation prowess by participating in the Google Season of Docs with CERN.

Over and above this, I also got involved in the Release Team shadow program to learn more about the Kubernetes ecosystem from an end-to-end perspective. Of course, during all of this I continued learning (and failing) publicly by speaking at various events globally. This gave me the opportunity to play to my strengths while building muscle for things that I was less skilled in.

4. Course correction

I know this seems like a simple start — finish story, but it isn’t. There were multiple times throughout the journey (which is still WIP, btw) when I went completely bonkers by overcommitting & taking on more work than I should have or was skilled for.

Fun fact: I purchased a number of courses on different MOOCs during an impulsive buying spree. I thought I would get to them eventually before starting off this journey. More than half of them will never see completion, unfortunately.

I am grateful that my journey survived those downfalls because it did teach me a LOT about course correcting. A few questions for when you’ve veered too far away from the road

Do I want to achieve something new or am I chasing the next shiny happy thing?
Is this in alignment with my goal/s?

I ask myself these questions every quarter because I have shiny object syndrome. I get distracted very easily & focus is an alien concept. This might not be the case with everyone. But it definitely makes sense to review if what you are doing continues to make sense & if it doesn’t, to reroute yourself by going back to #1 again.

So, what’s next?

I currently co-lead the documentation efforts for Kubernetes & LitmusChaos, am a CNCF ambassador, have spoken at global events, and have even co-led the creation & review of the KCNA certification. I intend to continue and plan on writing/speaking more about cloud native & open source. My target is to get myself CKA & CKAD certified by Q1, 2022 & continue exploring other avenues of the projects I can contribute to.

I will continue to document my journey here and on Twitter. You can follow me on both avenues to stay updated with the latest goss.

Serverless and the Dreaded CORS

divya-mohan0209 — Sun, 02 Feb 2020 06:42:39 +0000

While venturing farther in the Serverless world, I started making a list of things I encountered on my journey that I would like to delve deeper into; plainly because, I figured learning just enough to make something work was never going to satisfy my voracious appetite. Towards cementing my understanding, I started making unorganized one-liner notes as reference material. This article (and the ones that will follow, hopefully) are logical extensions of those notepad entries.

My very first entry on the list, was CORS - more commonly known as Cross Origin Resource Sharing.

So what EXACTLY is CORS?
Cross Origin Resource Sharing (CORS) enables a web-app to access resources OUTSIDE of its domain in a controlled manner and offers flexibility + functionality over the default same-origin security policy.
What is Same-Origin Security Policy?
A policy, under which, a web browser permits web page #1 to access data in web page # 2, ONLY IF both web pages have the same origin i.e. belong to the same domain.
How is CORS relevant in Serverless?
Web API Backends being a popular use case in serverless, a web page might need to make calls to a backend API that lies on a different domain i.e. of different origin; therefore, requiring the call to be CORS-friendly.
What is a common error indicating that CORS is NOT enabled?
No 'Access-Control-Allow-Origin' header is present on the requested resource
How is CORS implemented?
Two main ways:
- Headers
  - Access-Control-Allow-Origin header: Included in the response to specify the origin of where the request originated from as the value for allowing access to the resource's contents.
- Pre-flight requests (GET, POST, HEAD methods excluded)
  - Browser will send a preflight request to the resource using the OPTIONS method; in response to which, the resource you're requesting will return with methods that are safe to send and may optionally return the headers that are valid to send across.
Ways that CORS can be exploited? (i.e. Poor design practices)
- Allowing access to any domain in the origin field
- Allowing access to all sub-domains (including currently non-existent sub-domains, that could potentially be malicious)
- Origin header specification supporting the value null
- Trusting origins with vulnerabilities to XSS i.e. Cross Site Scripting
- Whitelisting trusted subdomain using HTTP
- Lower security standards for authentication on intranets/internal websites
Ways to prevent CORS-based attacks?
- Allowing trusted websites ONLY
- Avoid whitelisting null
- Avoid use of wildcards in intranets/internal websites
- Judiciously configure cross-domain requests by correctly specifying origin against Access-Control-Allow-Origin header
- Stringent configuration of server-side security policies.

Credits: Major shout-out to Alex DeBrie for his amazing article on Serverless and CORS that helped me a lot while writing this post.