8 Kubernetes Security tips for cloud engineers
For nearly 40% of DevOps and engineers, Kubernetes security isn't taken seriously enough. So what steps can be taken to protect your clusters? Here are some useful tips...
Remember when milk was delivered door-to-door in glass bottles? Concerned by the environmental impact of (plastic) drink packaging and transport today, three French startup founders decided to resuscitate the old ‘milkman’ method, powered by the latest cloud tech. Here, Le Fourgon CTO & Co-Founder Stephane Dessein explains how this Lille-based company did it, with K8s’ help.
When we realized that, since 36 million plastic bottles are used every year in France alone, on the current trajectory, there will be more plastic in the sea than fish by 2050. Notably because only 20% of plastic is currently recycled. So we looked at the old ‘milkman’ model, and realized it could be brought back to life. Glass bottles are naturally better for the planet than plastic ones. Better still, we found out that reusing glass bottles uses 75% less energy, 33% less water and 79% less CO2 than recycling them.
So, in April 2021, we launched Le Fourgon, from our hometown, Lille (Northern France). The milkman was back! Except this time, he was digitized. Consumers order their bottles through our app, they receive crates of glass bottles, then on their next order, we take those bottles back, and our clients receive 20 cents per bottle returned.
Just over two years later, something’s working, as we’re now present in fifteen towns throughout France, and have over 250 staff.
Firstly, we always want to favor local, French products and services. And Scaleway’s environmental engagements, including your adiabatic data center (DC5) also spoke to me, as well as your focus on data sovereignty.
Secondly, the products: I knew you had Kubernetes services like Kapsule, which is what I chose for Le Fourgon.
Last but not least, the Startup Program credits helped! GCP or AWS offer three times more, but there’s no point taking such huge resources if you don’t need them. We’ve not looked back since.
The best technology is the one you master; and that which is the best adapted to your needs. This was the case for us, as I’d already worked with Kubernetes, so I started a proof of concept. I was told that K8s is like using a bazooka to swat a fly. But I knew it would allow me to scale easily. These past two years, the basic stack hasn’t changed, it’s just got bigger. Scaling a VM would have been way more complicated. Furthermore, I knew I could run my test environments on K8s as well.
This notion of reproducibility, and the resilience and abstraction that that requires, was the key thing for me from the get-go. I know that if I have a problem with one cluster, I can create a new one, and in two seconds move my entire stack to it. This is particularly useful when big updates are necessary, as it enables you to** avoid downtime (we’ve had none in the past two years)**. Finally, Kubernetes repairs itself, so if there’s a problem, K8 will try to fix it.
To be honest, no! We don’t have that many peaks, as we’re able to anticipate the levels of demand for our services. And we’re anti-promotions like Black Friday. When we do get peaks, they are managed by auto-scaling.
But above all, we usually know what workloads to expect and when. As our delivery rounds are pre-calculated, we know they’re always going to be filled. We give the orders to an algorithm, which calculates how many vehicles will be needed to deliver X many products to Y different places, within each two hour slot. This way we only use as many (electric) trucks as are needed any given time, whilst covering the shortest distances possible.
In IT terms, our biggest challenge is ensuring the service remains available at all times. Both the e-commerce and logistical elements of our stack are home-made, and cloud-based. Furthermore, our warehouses have no data storage capacities or servers on-site, notably for security reasons. They’re all connected to a central resource. So all they need is a secure internet connection to that cloud, and a 4G network access as back-up.
This means, of course, that if the central cloud goes down, everything does! But we’re working on that. Future iterations of our stack will be more decentralized, across several locations, and potentially in different data centers. We know that’s possible with Kubernetes, and with Scaleway.
This intelligent resource management is another key part of K8s’ scalability: we know that when we need less resources, we’ll take up less space on each cluster, and will therefore pay less. For example, if at night we decide to focus on just doing data extracts, the cluster will remove the resources it doesn’t need. I needn’t worry whether those resources are right-sized or not.
We know that most of the digital sector’s impact is in hardware, so we try to use second-hand material as far as possible. For example, we buy computers that are 4-5 years old, and install Chrome OS Flex on them, as it’s an OS that’s way lighter than Windows; the PCs work really well that way. We’ve just started buying only reused smartphones too.
Our other initiatives are more common sense. For example, we try to charge our electric vans at night, when electricity is cheaper (and often has a lower carbon mix). And staff get subsidies to buy electric bicycles!
For nearly 40% of DevOps and engineers, Kubernetes security isn't taken seriously enough. So what steps can be taken to protect your clusters? Here are some useful tips...
Sacha Bernheim, Lead Site Reliability Engineer at Padok, rolls out K8s solutions for clients on a regular basis. Why is he such a fan of the cloud orchestrator? He explains all here...
Kubernetes is a must-have when it comes to maintaining a container environment and build, test and run applications. On this article, we'll learn how to build and grow on Kubernetes.