TL;DR notes from articles I read today.
- If yours is a small team, Kubernetes may bring a lot of pain and not enough benefits for you.
- If you need to scale, you need at least 3-4 virtual machines, and that means twice as many actual machines at a minimum.
- The codebase is heavy: 580,000 lines of Go code at its heart as of March 2020, and large sections have minimal documentation and lots of dependencies.
- Setting up and deploying Kubernetes is complex - architecturally, operationally, conceptually and in terms of configurations, compounded by confusing default settings, missing operational controls and implicitly defined security parameters.
- Your application becomes hard to run locally because you need VMs or nested Docker containers, to begin with, staging environments, proxying a local process into a cluster or a remote process on to a local machine, etc.
- You are tempted to write lots of microservices but distributed applications are hard to write correctly and hard to debug. If you have more services written than the number of developers on each, you are doing it wrong.
Full post here, 6 mins read
- Cloud providers may secure your databases, operating systems, virtual machines, the network, and other cloud components, but you must still protect your application layer (code, business logic, data and cloud service configurations) against cyber attacks.
- Traditional web application firewalls only protect functions called through an API gateway. So, apply perimeter security to each function, incorporate whitelist validation, monitor updates to functions, and add runtime defense solutions.
- Be wary of third-party dependencies. Derive components from reliable official sources via secure links. For Node.js applications, use package locks or NPM shrinkwrap to restrict updates to code until you review them. Identify and fix vulnerabilities with automated dependency scanners.
- Ensure all credentials that invoke third-party services or cross-account integrations are temporary or encrypted and use a cryptographic key management solution. Set strict constraints on input/output messages passing through the API gateway.
- Address the downside of autoscaling, DoW (denial of wallet) attacks: set budget limits with alarms, limit the number of API requests in a given time window, use DDOS protection tools, and try to make API gateways internal and private.
Full post here, 7 mins read