How to secure Kubernetes at the infrastructure level: 10 best practices

Infrastructure security is something that is important to get right so that attacks can be prevented—or, in the case of a successful attack—damage can be minimized. It is especially important in a Kubernetes environment because, by default, a large number of Kubernetes configurations are not secure.

Securing Kubernetes at the infrastructure level requires a combination of host hardening, cluster hardening, and network security.

  • Host hardening – Secures the servers or virtual machines on which Kubernetes is hosted
  • Cluster hardening – Secures Kubernetes’s control plane components
  • Network security – Ensures secure integration of the cluster with surrounding infrastructure

Let’s dive into each of these and look at best practices for securing both self-hosted and managed Kubernetes clusters.

Host hardening

There are many techniques that can be used to ensure a secure host. Here are three best practices for host hardening.

Use a modern immutable Linux distribution

If you have the flexibility to choose an operating system (i.e. your organization doesn’t standardize on one operating system across all infrastructure), use a modern immutable Linux distribution, such as Flatcar Container Linux or Bottlerocket. This type of operating system is specifically designed for containers and offers several benefits, including:

What is Wi-Fi 6, and why do we need it?

Wi-Fi 6, also known as 802.11ax, was officially certified in 2020 and has quickly become the de facto standard for wireless LAN (WLAN), superseding Wi-Fi 5 (802.11ac). Wi-Fi 6 delivers improved performance, extended coverage, and longer battery life compared to Wi-Fi 5.Wi-Fi 6 was originally designed to address bandwidth problems associated with dense, high-traffic environments such as airports, stadiums, trains, and offices. However, the explosion of IoT devices that need to connect wirelessly to edge devices, and the ever-increasing bandwidth needs of new data-thirsty applications has rendered Wi-Fi 6 not exactly obsolete on arrival, but certainly not sufficient for some use cases.To read this article in full, please click here

How to build a high-speed network for the metaverse of things

How many people on social media have friends only in their home city? Probably not very many, so we shouldn’t think that when Meta or others deploy a metaverse, the inhabitants will all be drawn from the same place.To be successful, a metaverse has to support dispersed users, and the more successful it is, the more its users can be expected to be dispersed over a wider geography. Today, metro, but tomorrow the world. If, as the metaverse spreads out, latency issues destroy the synchronized behavior of the avatars, then it will lose realism and at some point that loss would constrain growth. We already know how to control access latency, but how do we control massive-metaverse latency? Answer: With Massive Metaverse Meshing.To read this article in full, please click here

How to build a high-speed network for the Metaverse of Things

How many people on social media have friends only in their home city?  Probably not very many, so we shouldn’t think that when Meta or others deploy a metaverse, the inhabitants will all be drawn from the same place.To be successful, a metaverse has to support dispersed users, and the more successful it is, the more its users can be expected to be dispersed over a wider geography. Today, metro, but tomorrow the world. If, as the metaverse spreads out, latency issues destroy the synchronized behavior of the avatars, then it will lose realism and at some point that loss would constrain growth. We already know how to control access latency, but how do we control massive-metaverse latency? Answer: With Massive Metaverse Meshing.To read this article in full, please click here

Hedge 123: Geoff Huston and the State of BGP

Another year of massive growth in the number and speed of connections to the global Internet—what is the impact on the global routing table? Goeff Huston joins Tom Ammon and Russ White to discuss the current state of the BGP table, the changes in the last several years, where things might go, and what all of this means. This is part 1 of a two part episode.

download

Cloudflare Radar’s new ASN pages

Cloudflare Radar’s new ASN pages
Cloudflare Radar’s new ASN pages

An AS, or Autonomous System, is a group of routable IP prefixes belonging to a single entity, and is one of the key building blocks of the Internet. Internet providers, public clouds, governments, and other organizations have one or more ASes that they use to connect their users or systems to the rest of the Internet by advertising how to reach them.

Per AS traffic statistics and trends help when we need insight into unusual events, like Internet outages, infrastructure anomalies, targeted attacks, or any other changes from service providers.

Today, we are opening more of our data and launching the Cloudflare Radar pages for Autonomous Systems. When navigating to a country or region page on Cloudflare Radar you will see a list of five selected ASes for that country or region. But you shouldn’t feel limited to those, as you can deep dive into any AS by plugging its ASN (Autonomous System Number) into the Radar URL (https://radar.cloudflare.com/asn/<number>). We have excluded some statistical trends from ASes with small amounts of traffic as that data would be difficult to interpret.

Cloudflare Radar’s new ASN pages

The AS page is similar to the country page on Cloudflare Radar. You can find traffic levels, protocol Continue reading

Understanding Data Center Fabrics 04: Clos Scaling – Video

In the fourth installment of this 9-video series, Russ White describes methods for scaling data center fabrics. He reviews how to calculate port density in a leaf-spine design, discusses physical restraints on the scale of a fabric based on the spines, fabric types in chassis switches, and the pros and cons of chassis vs. single […]

The post Understanding Data Center Fabrics 04: Clos Scaling – Video appeared first on Packet Pushers.

HOW TO FORGET A WIFI NETWORK ON MAC.

Once your Mac computer gets connected to a source of wifi and the password has been saved, its unique features enable it to automatically reconnects once in range with the wifi network.. At first, this might be okay not until for some reason, you don’t want it to be connected anymore.

Sometimes, when there are various networks in range that had been previously connected and saved to your Mac, it becomes difficult for your system to choose which one to connect to as they are all saved and could easily be connected. In situations like this, you may want to connect to one particular network but it probably connects to the wrong one. In this scenario, you would want to disconnect with the unwanted wifi network, and to do that means you would need to forget the wifi.

There are other various reasons why you may need to forget your wifi network. Probably you’ve got lots of already connected networks and you would like to reduce them or you no longer really use the network anymore and don’t want it always connected or you probably have more than one wifi and would no longer want to use one but the Continue reading

Beware: Ansible Reorders List Values in Loops

TL&DR: Ansible might decide to reorder list values in a loop parameter, resulting in unexpected order of execution and (in my case) totally borked device configuration.

A bit of a background first: I’m using an Ansible playbook within netlab to deploy initial device configurations. Among other things, that playbook deploys configuration snippets for numerous configuration modules, and the order of deployment is absolutely crucial. For example, you cannot activate BGP neighbors in Labeled Unicast (BGP-LU) address family (mpls module) before configuring BGP neighbors (bgp module).

Read more …

Beware: Ansible Reorders List Values in Loops

TL&DR: Ansible might decide to reorder list values in a loop parameter, resulting in unexpected order of execution and (in my case) totally borked device configuration.

A bit of a background first: I’m using an Ansible playbook within netsim-tools to deploy initial device configurations. Among other things, that playbook deploys configuration snippets for numerous configuration modules, and the order of deployment is absolutely crucial. For example, you cannot activate BGP neighbors in Labeled Unicast (BGP-LU) address family (mpls module) before configuring BGP neighbors (bgp module).

Read more …

Nvidia Will Be A Prime Contractor For Big AI Supercomputers

Normally, when we look at a system, we think from the compute engines at a very fine detail and then work our way out across the intricacies of the nodes and then the interconnect and software stack that scales it across the nodes into a distributed computing platform.

Nvidia Will Be A Prime Contractor For Big AI Supercomputers was written by Timothy Prickett Morgan at The Next Platform.

Tech Bytes: The Advantages Of Singtel SD-WAN For Cloud Access (Sponsored)

On today's Tech Bytes with sponsor Singtel, we look at SD-WAN as a critical network feature for cloud access, including the use of overlays to simplify operations. We also discuss why organizations might consider a service provider for SD-WAN and dig into Singtel's SD-WAN offering.

The post Tech Bytes: The Advantages Of Singtel SD-WAN For Cloud Access (Sponsored) appeared first on Packet Pushers.

1 553 554 555 556 557 3,851