Security Best Practices

If there are multiple service operators (a.k.a. SREs)deploying different services in a medium- or large-size cluster, we recommend creating a separate for each SRE team to isolate their access.For example, you can create a namespace for team1, and team2-ns namespace for team2, suchthat both teams cannot access each other’s services.

Let us consider a three-tier application with three services: photo-frontend,photo-backend, and datastore. The photo SRE team manages the and photo-backend services while the datastore SRE teammanages the datastore service. The photo-frontend service can accessphoto-backend, and the photo-backend service can access datastore.However, the photo-frontend service cannot access .

In this setup, Kubernetes can isolate the operator privileges on managing the services.Istio manages certificates and keys in all namespacesand enforces different access control rules to the services.