I'm following the Kubernetes ecosystem quite a bit and sometimes people share how they architect their platforms, just like the engineers that built the Cruise self-driving car platform from GM.
In a series of articles they first described the Cruise PaaS architecture and the second part of the series goes into the security architecture of the platform.
I find the below statement remarkable because it shows that security by design arrives in the developer (now: DevOps) world and that by making it a design decision rather than a checkbox you win in the long-term and you can continue to develop rapidly without security slowing you down if you start planning with security in mind.
Btw. no mention of network policies, this is particularly hard and i see people struggle with implementing network and segmentation policies for their container platforms and applications.
However, security isn’t just a checkbox you mark off on project designs — it’s continual improvements made at multiple layers of the stack. Since security improvements often generate new requirements for existing projects, it’s good to minimize disruption by planning ahead. Because of this, security was one of the first areas we invested in when building out our internal Platform as a Service (PaaS), kickstarting our iteration towards production readiness.