DevOps Infrastructure | ManagedKube

Immutable infrastructure philosophy

Nothing is manually done

This facilitates repeatability, auditability, and consistency

Very restrictive AWS IAM roles and permissions on all nodes

AWS Cloud trails and Flow Logs are enabled and monitored in real time

User access and controls
- Usually means no read/write access to secrets

Deployment bot access and controls to exactly what it needs to do its jobs
- No read access to secrets

Pod rights and permission to access resources to only exactly what it needs

Secrets are encrypted at rest

Strict network access rules on inter-pod and inbound/outbound access
- IP and port level access

And to end encryption for all microservices
- All network communication will be encrypted into and inside the cluster, even for service to service interactions
- Easy key rotation
- Microservice mesh networking
- Deep analytics and visibility on inbound and microservice interactions
- Containers
  - Never run as root
  - Built with least amount of packages installed
  - Repeatable/automated process for building/testing/deploying

Automated deployments of everything

No human should be configuring or deploying anything into the cluster

This gives you complete programmatic control of the cluster and what runs inside of it

Everything that happens is auditable by the code because there are no manual steps

Segmentation of duties based on roles and servers

Cluster Nodes

Pods

Kubernetes Audit Logs (logging only)

Searchlight alerting

Alerts and actionable insights

Destinations:
- Slack
- Hipchat
- Pagerduty

Continuous auditing of inbound/outbound access

Matching network traffic to known threat list for attacks and bad actors

Anomaly detection

Interaction with the cluster via Slack
- Slack
- Hipchat
- Pagerduty

Initiate batch jobs

To support a dev/stage/prod workflow

Redundancy or active/active deployments

Serve worldwide traffic