Kubernetes Security Architecture Cheatsheet
github.com

18 points

xeor

16 hours ago

7 comments

arccy 14 hours ago

While it all falls under "security", it feels too confused in what it's trying to show.

I think it focuses too much on the happy path of security, typically you'll want to focus on specific areas. For example, access to the kubernetes API and what you can do, effective bypasses of RBAC by impersonation because a user has access to something else like argocd or a job system. Or another example, network paths and how they're all connected together.

Some boxes are weirdly disconnected, e.g. things point to the ingress but nothing flows out (hiding the potential that an ingress can be confused to route to your internal services), runtimes sit to the side when they should sit above the kernel, namespace is just a box to the side, etc.

xeor 16 hours ago

Took some time to make, looking for comment's and suggestions

  • snupples 15 hours ago

    Very interesting! Looks like it took a lot of work.

    Since you are soliciting suggestions, I would suggest focusing on the core theme and simplifying or removing things that are not directly related to the subject.

    For example, some peripheral mentions of argocd/helm/kustomize/cilium/opentofu/etc. There are boxes for these with arrows, but nothing showing how these are tied into security. They're also specific products that not everyone uses so can be further irrelevant to your audience.

    But by including them it makes the diagram perhaps unnecessarily busy, and while it looks cool, it could be less useful to your audience if it's harder to parse. Maybe certain things could be broken out into sub-diagrams with their own treatment.

    For example, ArgoCD has its own security architecture not directly related to k8s.

    • xeor 14 hours ago

      Thanks for the suggestions :) I'll look into how I can tune those down a little. They are however needed to understand the "platform picture" I am trying to get through in some discussions

  • nahimn 15 hours ago

    Thank you for making this.