How many time to encrypt data in transit?

Spoiler alert: no code examples in this article 😊

Securing application traffic, also ref’ed as encrypting data in transit or application communication encryption, is a standard security practice and, almost always, a requirement for any multi-tier application. A common practice is to use SSL / TLS protocols. The implementation should declare the version(s) and cipher(s) of the supported protocol(s).

Cloud native applications are often deployed on Kubernetes, like GKE in Google Cloud (GCP). Although the idea of encrypting data in transit is simple the implementation and operation of it may require considerable investments. It may prove helpful to understand how…

For some time now Kubernetes supports ephemeral containers. Starting from Kubernetes version 1.18 the ephemeral pods can be used to debug running pods in addition to a large set of other troubleshooting methods. While GKE already supports Kubernetes 1.18 the kubectl debug command is still unavailable. Mainly because this feature is still marked as Alpha in Kubernetes API. So, what else can you do beside inspecting GKE application logs and traces?

It is possible to access to running pod’s containers from the hosting VM. In GKE most of clusters use COS to run worker nodes. When you SSH’ing to the…

A term label usually describes a key/value pair that is attached to some object. In Kubernetes, labels are key/value pairs that are attached to manifested resources, such as pods. The Kubernetes labels can be used to organize and to select subsets of objects. Google Cloud labels (further in the post referenced as Cloud labels) are mainly used to categorize resources in billing reports in order to simplify analysis of spending costs. When the term label is used with GKE service it sometimes creates an ambiguity and confusion. The GKE documentation that referencing them as “cluster labels” may contribute to the…

One of the requirements for secure access remote machines are an easy management of users to VMs access matrix and reduced solution and operational costs. For VM fleets hosted on Google Cloud it is easy to do. In this post I build an example of the working solution based on OS-Login and IAP Tunneling and review a few important focus points about the technology and best practices.

How it is usually done.

Majority of the existing solutions for Data Centers and Cloud providers use one of three constructs:

  • SSH / RDP encrypted connection to destination host
  • SSH / RDP encrypted connection to a Bastion host…


Cloud Engineer in PSO at Google, Specializing in Infrastructure, AppDev, Security and SRE. Horsemanship in a free time.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store