In this post on thinking about security when coming from an on-premises world to the cloud I do focus on Google Cloud so some of the techniques I discuss may not easily map to your cloud of choice that aside the principles are pretty much the same . How is security in the cloud different? When addressing security concerns on-premises you are responsible for everything from the physical security of assets, the operating system, application servers , the applications, and managing user permissions .
In my incredibly narrow and brief tour of auditing and enforcement policies for GKE I spoke about OPA and gatekeeper . In this post I am having a look at creating Gatekeeper policies . This however was going to entail me getting to grips with Rego! So what is Rego? To understand what Rego is you need to know what Open policy agent ( OPA) is. I discussed it in my post but the key thing is it’s a general-purpose policy engine.
Asking questions of past me has been fun but what I wanted to do next is see what future me might conceivably tweet next so a little machine learning fun was my next stop . This post like my first post in this series on having fun with my twitter feed is about showing you how easy it is to use GCP to help you have fun with your tweets in the simplest way possible ( ok laziest way !
I’ve been using Twitter for over 10 years now and I was thinking it would be cool to analyse my tweets over the years. It also would give me a new dataset that I could use when looking at data related stuff ( I find it easier to use data I actually care about when exploring data things). You can download your twitter archive so there is no need to use the twitter API to get hold of my data.
Admission controllers When enforcing policies in K8s (I am assuming that you are running an up to date version of k8s) and when I say k8s I will specifically be talking about GKE (but you knew that 😀) you use Admission controllers ( This shouldn’t be optional hence “use” with no qualifier!) . Admission controllers essentially provides a way to govern how the cluster is used by intercepting calls to the k8s api prior to persistence of the object, but after the request is authenticated and authorized.
My top 5 things I wish GCP would shout louder about Ways to stop yourself deleting things you don’t want to delete. Project liens. This stops you accidentally deleting a project. My colleague @MrTrustor waxes lyrical about that here VM deletionProtection flag - this helps prevents the accidental deletion of a VM maybe you are running AD on an instance or perhaps you have a monitoring service that needs to be up and running all the time Use IAM to grant least privilege permissions Cloud storage bucket locks.
For those of you who have been reading my GCP flowchart series over on medium the collection now lives here. This post contains all the ones that are still applicable at the time of writing that I posted on medium here together with a few brand new ones. I’ve now arranged them under the following headings: Compute Storage and Data Security Networking Misc So it’s easy to find the one you want.
I will be blogging here for now. I’ve been posting at medium for a while but I needed to move somewhere where I had more control yet still minimised the operational overhead with managing a website. For the curious this site is created with Hugo and hosted with firebase . If you’re interested in using Cloud Storage then I’ve walked through using Hugo and GCS here