Locking Down Kubernetes: CERN’s Guide to Network Policies, OPA & Vault

Discover how CERN secures the vital Kubernetes cluster powering its massive CMS particle physics experiment using key cloud-native tools. This episode explores their real-world implementation of Network Policies via Calico for fine-grained internal firewalling between microservices. We delve into their use of Open Policy Agent (OPA) Gatekeeper to enforce custom rules on resource creation, ensuring compliance *before* deployment. Understand their shift to HashiCorp Vault for robust, centralized, and encrypted secrets management, moving beyond basic K8s secrets. Learn how these technologies form a layered defense strategy against modern threats. We also cover practical details like specific OPA policies and the seamless Vault Agent Injector pattern.

Read the original paper: http://arxiv.org/abs/2405.15342v1
Music: 'The Insider - A Difficult Subject'