Highly Secure Infrastructure
Running on Kubernetes and in containers
- Immutable infrastructure philosophy
Everything expressed via configuration or code
- Nothing is manually done
- This facilitates repeatability, auditability, and consistency
Very strict rules on everything
- Very restrictive AWS IAM roles and permissions on all nodes
- AWS Cloud trails and Flow Logs are enabled and monitored in real time
- User access and controls
- Usually means no read/write access to secrets
- Deployment bot access and controls to exactly what it needs to do its jobs
- No read access to secrets
- Pod rights and permission to access resources to only exactly what it needs
- Secrets are encrypted at rest
- Strict network access rules on inter-pod and inbound/outbound access
- IP and port level access
- And to end encryption for all microservices
- All network communication will be encrypted into and inside the cluster, even for service to service interactions
- Easy key rotation
- Microservice mesh networking
- Deep analytics and visibility on inbound and microservice interactions
-
Containers
- Never run as root
- Built with least amount of packages installed
- Repeatable/automated process for building/testing/deploying
CI/CD

- Automated deployments of everything
- No human should be configuring or deploying anything into the cluster
- This gives you complete programmatic control of the cluster and what runs inside of it
- Everything that happens is auditable by the code because there are no manual steps
- Segmentation of duties based on roles and servers
Logging & Monitoring
- Cluster Nodes
- Pods
- Kubernetes Audit Logs (logging only)
Alerting
- Searchlight alerting
- Alerts and actionable insights
- Destinations:
- Slack
- Hipchat
- Pagerduty
Network
- Continuous auditing of inbound/outbound access
- Matching network traffic to known threat list for attacks and bad actors
- Anomaly detection
Chatbots
- Interaction with the cluster via Slack
- Slack
- Hipchat
- Pagerduty
- Initiate batch jobs
Multiple Cluster
To support a dev/stage/prod workflow
Multi-Region Deployments
- Redundancy or active/active deployments
- Serve worldwide traffic